LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52835: perf/core: Bail out early if the request AUX area is out of bound

In the Linux kernel, the following vulnerability has been resolved: perf/core: Bail out early if the request AUX area is out of bound When perf-record with a large AUX area, e.g 4GB, it fails with: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) and it reveals a WARNING with __alloc_pages(): ------------[ cut here ]------------ WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 Call trace: __alloc_pages+0x1ec/0x248 __kmalloc_large_node+0xc0/0x1f8 __kmalloc_node+0x134/0x1e8 rb_alloc_aux+0xe0/0x298 perf_mmap+0x440/0x660 mmap_region+0x308/0x8a8 do_mmap+0x3c0/0x528 vm_mmap_pgoff+0xf4/0x1b8 ksys_mmap_pgoff+0x18c/0x218 __arm64_sys_mmap+0x38/0x58 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x58/0x188 do_el0_svc+0x34/0x50 el0_svc+0x34/0x108 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x1a4/0x1a8 'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to maintains AUX trace pages. The allocated page for this array is physically contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the size of pointer array crosses the limitation set by MAX_ORDER, it reveals a WARNING. So bail out early with -ENOMEM if the request AUX area is out of bound, e.g.: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory)

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel perf issue where an overly large AUX trace buffer request could trigger a kernel warning during memory allocation. The fix changes perf to reject out-of-bounds AUX requests earlier with an allocation error. The public record does not show remote exposure, active exploitation, CVSS, or business-impact detail.

Executive priority

Treat this as a kernel hygiene update rather than an emergency based on available evidence. Patch through normal kernel maintenance, with higher priority for shared systems where local users can invoke perf. No source in the bundle supports active exploitation or remote business exposure.

Technical view

The flaw is in Linux kernel perf/core AUX buffer handling. The AUX page pointer array allocated by kcalloc can exceed MAX_ORDER allocation limits, causing a warning in __alloc_pages during perf mmap handling. The resolved behavior bails out early with -ENOMEM when the requested AUX area is out of bounds.

Likely exposure

Exposure appears limited to Linux systems running affected kernel builds where local perf AUX tracing can be requested. The source example uses perf-record with ARM SPE on arm64. The bundle does not support remote, unauthenticated, or cross-platform exposure claims.

Exploitation context

The source bundle reports no KEV listing and provides no evidence of active exploitation. The described trigger is a local perf AUX mmap allocation path that produces a kernel warning and failed allocation, not a documented privilege escalation or data disclosure.

Researcher notes

The affected data is sparse and commit-focused. Analysis should center on perf_mmap, rb_alloc_aux, AUX page pointer array sizing, and MAX_ORDER allocation limits. Validate fixes by code review or vendor changelog rather than assuming kernel version strings alone prove remediation.

Mitigation direction

  • Check Linux distribution advisories for CVE-2023-52835 backports.
  • Update kernels to builds containing the referenced stable fixes.
  • Confirm vendor kernel packages include the perf/core early bounds check.
  • Prioritize systems where local users can run perf tracing.
  • Do not deploy kernel workarounds without vendor guidance.

Validation and detection

  • Inventory Linux kernel versions against the CVE affected version data.
  • Review vendor changelogs for CVE-2023-52835 or referenced commit IDs.
  • Check kernel logs for related perf AUX allocation warnings.
  • Confirm patched kernels return allocation failure without allocator warnings.
  • Document any systems awaiting vendor-fixed kernel packages.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52835 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ff, 45bfb2e50471abbbfd83d40d28c986078b0d24ffunaffected
LinuxLinux4.1, 0, 4.19.300, 5.4.262, 5.10.202, 5.15.140, 6.1.64, 6.5.13, 6.6.3, 6.7affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.