Cyber Resilience

CVE-2023-52974

High

Published: 27 March 2025

Published
27 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52974 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2023-52974 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's SCSI iSCSI TCP (iscsi_tcp) component. The issue arises during the iSCSI login process in iscsi_sw_tcp_session_create(). If iscsi_tcp_r2tpool_alloc() fails, userspace may still access the SCSI host (shost) IP address attribute. Subsequently, iscsi_session_teardown() frees the session while this access is ongoing, triggering the UAF.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), within unchanged scope (S:U). Exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 7.8. The UAF occurs specifically when session creation fails during R2T pool allocation while userspace concurrently accesses the host IP address.

Mitigation involves applying patches from the Linux kernel stable repository, which resolve the issue by deferring the assignment of tcp_sw_host->session until after session creation completes successfully, ensuring no failure path leads to early teardown during userspace access. Relevant commits include 0aaabdb900c7415caa2006ef580322f7eac5f6b6, 496af9d3682ed4c28fb734342a09e6cc0c056ea4, 61e43ebfd243bcbad11be26bd921723027b77441, 6abd4698f4c8a78e7bbfc421205c060c199554a0, and 9758ffe1c07b86aefd7ca8e40d9a461293427ca0.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session…

more

via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in Linux kernel (local low-priv trigger during iSCSI session creation) directly enables local privilege escalation via memory corruption leading to arbitrary kernel code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.2 · ≤ 4.14.306 · 4.15 — 4.19.273 · 4.20 — 5.4.232

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely installation of Linux kernel patches directly remediates the UAF vulnerability during iSCSI TCP session creation failure.

prevent

System memory protections such as KASLR, SMEP, and SMAP mitigate exploitation of the use-after-free in the iSCSI kernel component.

detect

Vulnerability scanning identifies the presence of CVE-2023-52974 in kernel versions, enabling prioritization and remediation.

References