CVE-2023-52941: can: isotp: split tx timer into transmission and timeout
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: split tx timer into transmission and timeout
The timer for the transmission of isotp PDUs formerly had two functions:
1. send two consecutive frames with a given time gap
2. monitor the timeouts for flow control frames and the echo frames
This led to larger txstate checks and potentially to a problem discovered
by syzbot which enabled the panic_on_warn feature while testing.
The former 'txtimer' function is split into 'txfrtimer' and 'txtimer'
to handle the two above functionalities with separate timer callbacks.
The two simplified timers now run in one-shot mode and make the state
transitions (especially with isotp_rcv_echo) better understandable.
Security readout for executives and security teams
Plain-English summary
CVE-2023-52941 is a Linux kernel CAN ISO-TP networking issue found by syzbot. The bug involved one transmit timer handling both frame spacing and timeout monitoring, creating problematic state handling and a potential kernel warning. Business impact appears most relevant to Linux systems using CAN bus communication, such as automotive, embedded, or industrial environments.
Executive priority
Treat as a targeted kernel maintenance issue, not a broad internet emergency. Prioritize environments where Linux controls or monitors CAN bus systems. Patch through normal kernel update processes, with higher urgency for safety-adjacent embedded or operational technology deployments.
Technical view
The Linux kernel ISO-TP CAN implementation used a single txtimer for consecutive-frame transmission gaps and flow-control/echo timeout monitoring. The fix separates this into txfrtimer and txtimer one-shot callbacks, simplifying txstate transitions, especially around isotp_rcv_echo. The CVE record notes syzbot discovered a problem with panic_on_warn enabled. No CVSS, CWE, or exploit details are provided.
Likely exposure
Exposure is likely limited to Linux systems with CAN ISO-TP enabled or used. The CVE data references Linux 6.1 and 6.2-era versions and specific kernel commits. General-purpose servers without CAN interfaces are less likely to be exposed, but kernel packages should still be checked against vendor advisories.
Exploitation context
The public record does not report active exploitation, and CISA KEV status is false. The described failure was discovered by syzbot under panic_on_warn testing. Sources do not provide attacker prerequisites, remote reachability, or confirmed denial-of-service impact outside that testing context.
Researcher notes
Evidence is limited to the CVE record and upstream stable commits. The record describes a resolved kernel logic issue, not a public exploit. Further assessment should review the exact stable commit diffs and downstream backports before assigning exploitability or impact beyond warning/panic behavior.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
For distributions, follow the vendor kernel advisory and package guidance.
Prioritize embedded, automotive, and industrial systems using CAN ISO-TP.
If immediate patching is unavailable, review vendor-recommended CAN ISO-TP risk reductions.
Validation and detection
Inventory Linux systems using CAN or ISO-TP kernel functionality.
Compare running kernel versions against vendor advisories for CVE-2023-52941.
Check whether the referenced stable commits are included in deployed kernels.
Confirm patched kernels through package metadata or kernel changelogs.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-52941 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Mar 27, 2025, 16:37 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.