CVE-2023-52935
Published: 27 March 2025
Summary
CVE-2023-52935 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the kernel race condition flaw through patching to stable commits fixing the anon_vma locking issue.
Enforces secure kernel configuration settings to disable or restrict transparent huge page collapsing, avoiding the vulnerable khugepaged code path.
Implements memory protections like ASLR and DEP to mitigate exploitation of the use-after-free resulting from the page table retraction race.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition vulnerability enabling use-after-free exploitation by low-privileged attackers for arbitrary code execution and privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix ->anon_vma race If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock,…
more
the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.
Deeper analysisAI
CVE-2023-52935 is a race condition vulnerability in the Linux kernel's mm/khugepaged subsystem, which handles transparent huge page collapsing. The issue arises because retract_page_tables() checks for an attached ->anon_vma before holding the mmap lock, despite page table removal requiring the mmap lock, anon_vma lock (if applicable), and mapping lock. If an ->anon_vma is racily merged from a neighboring VMA (such as one shared with a child process), concurrent rmap traversals can access page tables being removed, assuming exclusive access. This triggers a lockdep warning in collapse_and_free_pmd() due to unheld anon_vma->root->rwsem and can result in use-after-free access (CWE-416).
A local attacker with low privileges can exploit this vulnerability (CVSS:3.1 score of 7.8; AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). By triggering khugepaged operations on VMAs with shared anon_vmas, such as through process forking and memory access patterns, the attacker can race the page table retraction, leading to use-after-free conditions that enable high-impact confidentiality, integrity, and availability violations, potentially including arbitrary code execution or system crashes.
The provided references point to stable kernel commit patches that resolve the issue by repeating the ->anon_vma check after acquiring the mmap lock, ensuring no concurrent page table access during removal. Security practitioners should update to kernels incorporating these fixes (e.g., commits 023f47a8250c6bdb4aebe744db4bf7f73414028b, 352fbf61ce776fef18dca6a68680a6cd943dac95, and others listed) to mitigate the vulnerability.
Details
- CWE(s)