LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52447: bpf: Defer the free of inner map when necessary

In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map.

MediumCVSS 6.7Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A Linux kernel eBPF memory-management bug can let a highly privileged local actor trigger use-after-free conditions. Business urgency is moderate: it is not remotely reachable from the network, but kernel compromise can have severe confidentiality, integrity, and availability impact on exposed Linux hosts.

Executive priority

Treat as a scheduled but important kernel maintenance item. Escalate for shared infrastructure, container hosts, and security-sensitive Linux appliances because successful abuse affects the kernel, even though exploitation requires local high privilege.

Technical view

The flaw is in Linux BPF map-in-map handling. Updating or deleting an inner map could drop the final reference while non-sleepable or sleepable BPF programs still access it. The fix defers freeing until RCU and tasks-trace RCU grace periods elapse.

Likely exposure

Linux systems running affected kernel versions are relevant, especially where privileged users, services, or container contexts can exercise eBPF map functionality. The source bundle does not identify specific distributions beyond Debian LTS and Siemens advisories referencing the issue.

Exploitation context

The CVSS vector is local, low complexity, high privileges required, and no user interaction. The bundle marks KEV false and provides no evidence of active exploitation or public weaponization.

Researcher notes

This is CWE-416 use-after-free in BPF inner map lifetime handling. The fix changes release behavior to defer map_free through RCU mechanisms. Evidence does not support remote exposure, unauthenticated exploitation, or active exploitation claims.

Mitigation direction

  • Update affected Linux kernels using distribution or vendor guidance.
  • Prioritize vendor builds containing the referenced Linux stable fixes.
  • Review Debian LTS and Siemens advisories if those ecosystems apply.
  • Restrict unnecessary high-privilege local access on Linux hosts.
  • Check whether eBPF exposure is needed for workloads.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Compare installed kernels with vendor advisories for CVE-2023-52447.
  • Confirm patched kernels include the referenced upstream stable commits.
  • Review privileged local accounts and services with BPF-related capabilities.
  • Track vendor advisories where kernel versions are appliance-managed.
Prepared
Confidence
high
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2023-52447 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
3ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.7CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H0.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

6.7Medium
CVSS 3.1 vector shape for CVE-2023-52447Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxbba1dc0b55ac462d24ed1228ad49800c238cd6d7, bba1dc0b55ac462d24ed1228ad49800c238cd6d7, bba1dc0b55ac462d24ed1228ad49800c238cd6d7, bba1dc0b55ac462d24ed1228ad49800c238cd6d7, bba1dc0b55ac462d24ed1228ad49800c238cd6d7, bba1dc0b55ac462d24ed1228ad49800c238cd6d7unaffected
LinuxLinux5.9, 0, 5.10.214, 5.15.153, 6.1.75, 6.6.14, 6.7.2, 6.8affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.