CVE-2023-52447: bpf: Defer the free of inner map when necessary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Defer the free of inner map when necessary
When updating or deleting an inner map in map array or map htab, the map
may still be accessed by non-sleepable program or sleepable program.
However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map
directly through bpf_map_put(), if the ref-counter is the last one
(which is true for most cases), the inner map will be freed by
ops->map_free() in a kworker. But for now, most .map_free() callbacks
don't use synchronize_rcu() or its variants to wait for the elapse of a
RCU grace period, so after the invocation of ops->map_free completes,
the bpf program which is accessing the inner map may incur
use-after-free problem.
Fix the free of inner map by invoking bpf_map_free_deferred() after both
one RCU grace period and one tasks trace RCU grace period if the inner
map has been removed from the outer map before. The deferment is
accomplished by using call_rcu() or call_rcu_tasks_trace() when
releasing the last ref-counter of bpf map. The newly-added rcu_head
field in bpf_map shares the same storage space with work field to
reduce the size of bpf_map.
Security readout for executives and security teams
Plain-English summary
A Linux kernel eBPF memory-management bug can let a highly privileged local actor trigger use-after-free conditions. Business urgency is moderate: it is not remotely reachable from the network, but kernel compromise can have severe confidentiality, integrity, and availability impact on exposed Linux hosts.
Executive priority
Treat as a scheduled but important kernel maintenance item. Escalate for shared infrastructure, container hosts, and security-sensitive Linux appliances because successful abuse affects the kernel, even though exploitation requires local high privilege.
Technical view
The flaw is in Linux BPF map-in-map handling. Updating or deleting an inner map could drop the final reference while non-sleepable or sleepable BPF programs still access it. The fix defers freeing until RCU and tasks-trace RCU grace periods elapse.
Likely exposure
Linux systems running affected kernel versions are relevant, especially where privileged users, services, or container contexts can exercise eBPF map functionality. The source bundle does not identify specific distributions beyond Debian LTS and Siemens advisories referencing the issue.
Exploitation context
The CVSS vector is local, low complexity, high privileges required, and no user interaction. The bundle marks KEV false and provides no evidence of active exploitation or public weaponization.
Researcher notes
This is CWE-416 use-after-free in BPF inner map lifetime handling. The fix changes release behavior to defer map_free through RCU mechanisms. Evidence does not support remote exposure, unauthenticated exploitation, or active exploitation claims.
Mitigation direction
Update affected Linux kernels using distribution or vendor guidance.
Prioritize vendor builds containing the referenced Linux stable fixes.
Review Debian LTS and Siemens advisories if those ecosystems apply.
Restrict unnecessary high-privilege local access on Linux hosts.
Check whether eBPF exposure is needed for workloads.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Compare installed kernels with vendor advisories for CVE-2023-52447.
Confirm patched kernels include the referenced upstream stable commits.
Review privileged local accounts and services with BPF-related capabilities.
Track vendor advisories where kernel versions are appliance-managed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
3ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.