{"id":"CVE-2023-52922","summary":"can: bcm: Fix UAF in bcm_proc_show()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Fix UAF in bcm_proc_show()\n\nBUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80\nRead of size 8 at addr ffff888155846230 by task cat/7862\n\nCPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xd5/0x150\n print_report+0xc1/0x5e0\n kasan_report+0xba/0xf0\n bcm_proc_show+0x969/0xa80\n seq_read_iter+0x4f6/0x1260\n seq_read+0x165/0x210\n proc_reg_read+0x227/0x300\n vfs_read+0x1d5/0x8d0\n ksys_read+0x11e/0x240\n do_syscall_64+0x35/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAllocated by task 7846:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x9e/0xa0\n bcm_sendmsg+0x264b/0x44e0\n sock_sendmsg+0xda/0x180\n ____sys_sendmsg+0x735/0x920\n ___sys_sendmsg+0x11d/0x1b0\n __sys_sendmsg+0xfa/0x1d0\n do_syscall_64+0x35/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 7846:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x27/0x40\n ____kasan_slab_free+0x161/0x1c0\n slab_free_freelist_hook+0x119/0x220\n __kmem_cache_free+0xb4/0x2e0\n rcu_core+0x809/0x1bd0\n\nbcm_op is freed before procfs entry be removed in bcm_release(),\nthis lead to bcm_proc_show() may read the freed bcm_op.","modified":"2026-03-20T12:32:53.011276Z","published":"2024-11-28T15:09:51.360Z","related":["ALSA-2025:2627","SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4345-1","SUSE-SU-2024:4346-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0236-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52922.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/"},{"type":"WEB","url":"https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52922.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52922"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ffd980f976e7fd666c2e61bf8ab35107efd11828"},{"fixed":"11b8e27ed448baa385d90154a141466bd5e92f18"},{"fixed":"9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff"},{"fixed":"9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6"},{"fixed":"cf254b4f68e480e73dab055014e002b77aed30ed"},{"fixed":"3c3941bb1eb53abe7d640ffee5c4d6b559829ab3"},{"fixed":"995f47d76647708ec26c6e388663ad4f3f264787"},{"fixed":"dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7"},{"fixed":"55c3b96074f3f9b0aee19bf93cd71af7516582bb"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52922.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}