LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52828: bpf: Detect IP == ksym.end as part of BPF program

In the Linux kernel, the following vulnerability has been resolved: bpf: Detect IP == ksym.end as part of BPF program Now that bpf_throw kfunc is the first such call instruction that has noreturn semantics within the verifier, this also kicks in dead code elimination in unprecedented ways. For one, any instruction following a bpf_throw call will never be marked as seen. Moreover, if a callchain ends up throwing, any instructions after the call instruction to the eventually throwing subprog in callers will also never be marked as seen. The tempting way to fix this would be to emit extra 'int3' instructions which bump the jited_len of a program, and ensure that during runtime when a program throws, we can discover its boundaries even if the call instruction to bpf_throw (or to subprogs that always throw) is emitted as the final instruction in the program. An example of such a program would be this: do_something(): ... r0 = 0 exit foo(): r1 = 0 call bpf_throw r0 = 0 exit bar(cond): if r1 != 0 goto pc+2 call do_something exit call foo r0 = 0 // Never seen by verifier exit // main(ctx): r1 = ... call bar r0 = 0 exit Here, if we do end up throwing, the stacktrace would be the following: bpf_throw foo bar main In bar, the final instruction emitted will be the call to foo, as such, the return address will be the subsequent instruction (which the JIT emits as int3 on x86). This will end up lying outside the jited_len of the program, thus, when unwinding, we will fail to discover the return address as belonging to any program and end up in a panic due to the unreliable stack unwinding of BPF programs that we never expect. To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as part of the BPF program, so that is_bpf_text_address returns true when such a case occurs, and we are able to unwind reliably when the final instruction ends up being a call instruction.

MediumCVSS 6.6Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-52828 is a Linux kernel BPF flaw that can make the kernel misclassify the boundary of a JIT-compiled BPF program during stack unwinding. The source describes a panic scenario, so business impact is mainly local system instability on affected Linux systems where users or processes can load BPF programs.

Executive priority

Handle as a normal-priority kernel maintenance item, higher on shared hosts or systems allowing BPF use by non-administrative workloads. There is no provided evidence of active exploitation, but the issue can affect kernel reliability and should be closed through routine patching.

Technical view

The bug is in Linux kernel BPF handling around bpf_throw noreturn semantics and dead-code elimination. When a final emitted instruction is a call, the return address can equal ksym.end and fall outside jited_len. The fix treats IP == ksym.end as part of the BPF program so unwinding recognizes the BPF text address reliably.

Likely exposure

Exposure is limited to Linux systems running affected kernel builds with BPF available to local users or processes. The CVSS vector is local, low complexity, low privileges, and no user interaction. Internet-facing services are not directly exposed unless an attacker already has local execution or equivalent access.

Exploitation context

The source bundle does not show CISA KEV listing or any cited evidence of active exploitation. The described failure mode is local and kernel-level, involving crafted BPF program behavior and stack unwinding. Treat exploitability as plausible but unconfirmed from the provided evidence.

Researcher notes

Key validation is whether the target kernel contains the stable change making bpf_prog_ksym_find treat IP == ksym.end as in-program. The bundle’s affected-version data is incomplete in simplified form, so rely on kernel commit presence and vendor package advisories rather than version strings alone.

Mitigation direction

  • Update to a vendor-supported Linux kernel containing the referenced stable fixes.
  • Check distribution advisories for backported fixes matching CVE-2023-52828.
  • Restrict BPF program loading to trusted users and services where possible.
  • Prioritize shared Linux hosts and platforms running BPF-based observability or security tooling.

Validation and detection

  • Inventory Linux kernel versions across servers, workstations, and container hosts.
  • Confirm whether the kernel includes the referenced BPF stable fix commit.
  • Review local policy for users or services allowed to load BPF programs.
  • Check vulnerability scanner results against distribution-specific kernel package advisories.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52828 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.6 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.6CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L1.84.7CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

6.6Medium
CVSS 3.1 vector shape for CVE-2023-52828Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd, 74451e66d516c55e309e8d89a4a1e7596e46aacd, 74451e66d516c55e309e8d89a4a1e7596e46aacd, 74451e66d516c55e309e8d89a4a1e7596e46aacd, 74451e66d516c55e309e8d89a4a1e7596e46aacd, 74451e66d516c55e309e8d89a4a1e7596e46aacdunaffected
LinuxLinux4.11, 0, 5.10.202, 5.15.140, 6.1.64, 6.5.13, 6.6.3, 6.7affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.