Use-after-free and an out-of-bounds read in the CAN BCM subsystem of the Linux kernel – CVE-2025-38003 and CVE-2025-38004

Title

Use-after-free and an out-of-bounds read in the CAN BCM subsystem of the Linux kernel.

IDENTIFIER(S)

CVE-2025-38003 and CVE-2025-38004

Description

While working on the blog post about the CAN BCM subsystem vulnerability that led to CVE-2023-52922, we noticed that its patch does not correctly address the vulnerability. In addition, we discovered another vulnerability. An out-of-bounds read that was present since the introduction of the protocol. CVE-2025-38003 and CVE-2025-38004 identify these two vulnerabilities. We also helped the developers to fix them.

References

CVE-2025-38003 and CVE-2025-38004 [TO BE RELEASED SOON]
https://github.com/alleleintel/research/tree/master/CVE-2025-38003_CVE-2025-38004

can: bcm: add missing rcu read protection for procfs content
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0622846db728a5332b917c797c733e202c4620ae

CVE-2025-38003: can: bcm: add missing rcu read protection for procfs content
https://lore.kernel.org/linux-cve-announce/2025060859-CVE-2025-38003-6565@gregkh/T/#u

can: bcm: add locking for bcm_op runtime updates
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2a437b86ac5a9893c902f30ef66815bf13587bf6

CVE-2025-38004: can: bcm: add locking for bcm_op runtime updates
https://lore.kernel.org/linux-cve-announce/2025060801-CVE-2025-38004-30d2@gregkh/T/#u