LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52941: can: isotp: split tx timer into transmission and timeout

In the Linux kernel, the following vulnerability has been resolved: can: isotp: split tx timer into transmission and timeout The timer for the transmission of isotp PDUs formerly had two functions: 1. send two consecutive frames with a given time gap 2. monitor the timeouts for flow control frames and the echo frames This led to larger txstate checks and potentially to a problem discovered by syzbot which enabled the panic_on_warn feature while testing. The former 'txtimer' function is split into 'txfrtimer' and 'txtimer' to handle the two above functionalities with separate timer callbacks. The two simplified timers now run in one-shot mode and make the state transitions (especially with isotp_rcv_echo) better understandable.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-52941 is a Linux kernel CAN ISO-TP networking issue found by syzbot. The bug involved one transmit timer handling both frame spacing and timeout monitoring, creating problematic state handling and a potential kernel warning. Business impact appears most relevant to Linux systems using CAN bus communication, such as automotive, embedded, or industrial environments.

Executive priority

Treat as a targeted kernel maintenance issue, not a broad internet emergency. Prioritize environments where Linux controls or monitors CAN bus systems. Patch through normal kernel update processes, with higher urgency for safety-adjacent embedded or operational technology deployments.

Technical view

The Linux kernel ISO-TP CAN implementation used a single txtimer for consecutive-frame transmission gaps and flow-control/echo timeout monitoring. The fix separates this into txfrtimer and txtimer one-shot callbacks, simplifying txstate transitions, especially around isotp_rcv_echo. The CVE record notes syzbot discovered a problem with panic_on_warn enabled. No CVSS, CWE, or exploit details are provided.

Likely exposure

Exposure is likely limited to Linux systems with CAN ISO-TP enabled or used. The CVE data references Linux 6.1 and 6.2-era versions and specific kernel commits. General-purpose servers without CAN interfaces are less likely to be exposed, but kernel packages should still be checked against vendor advisories.

Exploitation context

The public record does not report active exploitation, and CISA KEV status is false. The described failure was discovered by syzbot under panic_on_warn testing. Sources do not provide attacker prerequisites, remote reachability, or confirmed denial-of-service impact outside that testing context.

Researcher notes

Evidence is limited to the CVE record and upstream stable commits. The record describes a resolved kernel logic issue, not a public exploit. Further assessment should review the exact stable commit diffs and downstream backports before assigning exploitability or impact beyond warning/panic behavior.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • For distributions, follow the vendor kernel advisory and package guidance.
  • Prioritize embedded, automotive, and industrial systems using CAN ISO-TP.
  • If immediate patching is unavailable, review vendor-recommended CAN ISO-TP risk reductions.

Validation and detection

  • Inventory Linux systems using CAN or ISO-TP kernel functionality.
  • Compare running kernel versions against vendor advisories for CVE-2023-52941.
  • Check whether the referenced stable commits are included in deployed kernels.
  • Confirm patched kernels through package metadata or kernel changelogs.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52941 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux866337865f3747c68a3e7bb837611e39cec1ecd6, 866337865f3747c68a3e7bb837611e39cec1ecd6, 3cb476cf834edca47f4470c276feb0f519401fb7unaffected
LinuxLinux6.1, 0, 6.1.11, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.