PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-52447 Linux CVE debrief

CVE-2023-52447 is a Linux kernel BPF use-after-free issue in the handling of inner maps. When an inner map is updated or deleted from an outer map, BPF programs may still access it. The kernel fix defers the final free until after the required RCU and tasks trace RCU grace periods, reducing the risk that a BPF program can touch freed memory.

Vendor
Linux
Product
CVE-2023-52447
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2024-02-22
Original CVE updated
2026-05-12
Advisory published
2024-02-22
Advisory updated
2026-05-12

Who should care

Kernel maintainers, Linux distribution security teams, and operators running affected kernel versions with BPF features enabled or heavily used. Systems that rely on map-in-map or hash-of-maps BPF patterns should prioritize review and patching.

Technical summary

NVD classifies the issue as CWE-416 (use-after-free) with CVSS v3.1 6.7/Medium and a local, high-privilege attack vector. The vulnerability arises because bpf_map_fd_put_ptr() could drop the last reference to an inner map and free it before all potential BPF readers were done. The kernel fix changes inner-map teardown to use deferred freeing via bpf_map_free_deferred(), waiting for both an RCU grace period and a tasks trace RCU grace period when the inner map has already been removed from the outer map. The patch also adds an rcu_head field in bpf_map, reusing storage with the work field to avoid increasing structure size.

Defensive priority

High for environments running affected Linux kernel branches, especially where BPF map-in-map functionality is in use. Although exploitation requires local, high privileges, the bug affects kernel memory safety and can have full confidentiality, integrity, and availability impact if triggered.

Recommended defensive actions

  • Upgrade to a Linux kernel release that includes the vendor/stable fixes referenced by the official patch links.
  • If immediate upgrading is not possible, restrict access to privileged BPF-capable workloads and reduce exposure of systems running affected kernel branches.
  • Prioritize patch verification on systems in the affected version ranges noted by NVD: 5.9 through before 5.10.214, 5.11 through before 5.15.153, 5.16 through before 6.1.75, 6.2 through before 6.6.14, and 6.7 through قبل
  • f

Evidence notes

Primary evidence comes from the NVD record published on 2024-02-22 and last modified on 2026-05-12, which lists CWE-416 and the affected Linux kernel version ranges. The supplied kernel description explains the root cause: inner maps could be freed before all potential BPF readers completed, and the fix defers freeing with RCU-based callbacks. Official patch references are provided by multiple stable kernel commits, and Debian LTS also references the issue.

Official resources

CVE published by NVD/CVE on 2024-02-22; this debrief uses that published date and the supplied modification date of 2026-05-12 for timeline context only.