CVE-2023-52522

net: fix possible store tearing in neigh_periodic_work()

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix possible store tearing in neigh_periodic_work() While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev().

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/95eabb075a5902f4c0834ab1fb12dc35730c05af
https://git.kernel.org/stable/c/2ea52a2fb8e87067e26bbab4efb8872639240eb0
https://git.kernel.org/stable/c/147d89ee41434b97043c2dcb17a97dc151859baa
https://git.kernel.org/stable/c/f82aac8162871e87027692b36af335a2375d4580
https://git.kernel.org/stable/c/a75152d233370362eebedb2643592e7c883cc9fc
https://git.kernel.org/stable/c/25563b581ba3a1f263a00e8c9a97f5e7363be6fd

Frequently Asked Questions

What is the severity of CVE-2023-52522?
CVE-2023-52522 has been scored as a medium severity vulnerability.
How to fix CVE-2023-52522?
To fix CVE-2023-52522, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-52522 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-52522 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-52522?
CVE-2023-52522 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.