CVE-2023-52828: bpf: Detect IP == ksym.end as part of BPF program
In the Linux kernel, the following vulnerability has been resolved:
bpf: Detect IP == ksym.end as part of BPF program
Now that bpf_throw kfunc is the first such call instruction that has
noreturn semantics within the verifier, this also kicks in dead code
elimination in unprecedented ways. For one, any instruction following
a bpf_throw call will never be marked as seen. Moreover, if a callchain
ends up throwing, any instructions after the call instruction to the
eventually throwing subprog in callers will also never be marked as
seen.
The tempting way to fix this would be to emit extra 'int3' instructions
which bump the jited_len of a program, and ensure that during runtime
when a program throws, we can discover its boundaries even if the call
instruction to bpf_throw (or to subprogs that always throw) is emitted
as the final instruction in the program.
An example of such a program would be this:
do_something():
...
r0 = 0
exit
foo():
r1 = 0
call bpf_throw
r0 = 0
exit
bar(cond):
if r1 != 0 goto pc+2
call do_something
exit
call foo
r0 = 0 // Never seen by verifier
exit //
main(ctx):
r1 = ...
call bar
r0 = 0
exit
Here, if we do end up throwing, the stacktrace would be the following:
bpf_throw
foo
bar
main
In bar, the final instruction emitted will be the call to foo, as such,
the return address will be the subsequent instruction (which the JIT
emits as int3 on x86). This will end up lying outside the jited_len of
the program, thus, when unwinding, we will fail to discover the return
address as belonging to any program and end up in a panic due to the
unreliable stack unwinding of BPF programs that we never expect.
To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as
part of the BPF program, so that is_bpf_text_address returns true when
such a case occurs, and we are able to unwind reliably when the final
instruction ends up being a call instruction.
Security readout for executives and security teams
Plain-English summary
CVE-2023-52828 is a Linux kernel BPF flaw that can make the kernel misclassify the boundary of a JIT-compiled BPF program during stack unwinding. The source describes a panic scenario, so business impact is mainly local system instability on affected Linux systems where users or processes can load BPF programs.
Executive priority
Handle as a normal-priority kernel maintenance item, higher on shared hosts or systems allowing BPF use by non-administrative workloads. There is no provided evidence of active exploitation, but the issue can affect kernel reliability and should be closed through routine patching.
Technical view
The bug is in Linux kernel BPF handling around bpf_throw noreturn semantics and dead-code elimination. When a final emitted instruction is a call, the return address can equal ksym.end and fall outside jited_len. The fix treats IP == ksym.end as part of the BPF program so unwinding recognizes the BPF text address reliably.
Likely exposure
Exposure is limited to Linux systems running affected kernel builds with BPF available to local users or processes. The CVSS vector is local, low complexity, low privileges, and no user interaction. Internet-facing services are not directly exposed unless an attacker already has local execution or equivalent access.
Exploitation context
The source bundle does not show CISA KEV listing or any cited evidence of active exploitation. The described failure mode is local and kernel-level, involving crafted BPF program behavior and stack unwinding. Treat exploitability as plausible but unconfirmed from the provided evidence.
Researcher notes
Key validation is whether the target kernel contains the stable change making bpf_prog_ksym_find treat IP == ksym.end as in-program. The bundle’s affected-version data is incomplete in simplified form, so rely on kernel commit presence and vendor package advisories rather than version strings alone.
Mitigation direction
Update to a vendor-supported Linux kernel containing the referenced stable fixes.
Check distribution advisories for backported fixes matching CVE-2023-52828.
Restrict BPF program loading to trusted users and services where possible.
Prioritize shared Linux hosts and platforms running BPF-based observability or security tooling.
Validation and detection
Inventory Linux kernel versions across servers, workstations, and container hosts.
Confirm whether the kernel includes the referenced BPF stable fix commit.
Review local policy for users or services allowed to load BPF programs.
Check vulnerability scanner results against distribution-specific kernel package advisories.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-52828 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.