CVE-2023-54176 (GCVE-0-2023-54176)
Vulnerability from cvelistv5
Published
2025-12-30 12:08
Modified
2025-12-30 12:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: stricter state check in mptcp_worker As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state: connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker() Leading to the following splat: divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> This change addresses the issue explicitly checking for bad states before running the mptcp worker.
References
Impacted products
Vendor Product Version
Linux Linux Version: e16163b6e2b720fb74e5af758546f6dad27e6c9e
Version: e16163b6e2b720fb74e5af758546f6dad27e6c9e
Version: e16163b6e2b720fb74e5af758546f6dad27e6c9e
Version: e16163b6e2b720fb74e5af758546f6dad27e6c9e
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f0b4a4086cf27240fc621a560da9735159049dcc",
              "status": "affected",
              "version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e",
              "versionType": "git"
            },
            {
              "lessThan": "aff9099e9c51f15c8def05c75b2b73e8487b5d54",
              "status": "affected",
              "version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e",
              "versionType": "git"
            },
            {
              "lessThan": "19ea79e87af32c2b3c6fc49bd84efeb35ca57678",
              "status": "affected",
              "version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e",
              "versionType": "git"
            },
            {
              "lessThan": "d6a0443733434408f2cbd4c53fea6910599bab9e",
              "status": "affected",
              "version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.108",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.108",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.25",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.12",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\n\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\n\nLeading to the following splat:\n\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\n kthread+0x138/0x170 kernel/kthread.c:376\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \u003c/TASK\u003e\n\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:48.915Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54"
        },
        {
          "url": "https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e"
        }
      ],
      "title": "mptcp: stricter state check in mptcp_worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54176",
    "datePublished": "2025-12-30T12:08:48.915Z",
    "dateReserved": "2025-12-30T12:06:44.496Z",
    "dateUpdated": "2025-12-30T12:08:48.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54176\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:05.470\",\"lastModified\":\"2025-12-30T13:16:05.470\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: stricter state check in mptcp_worker\\n\\nAs reported by Christoph, the mptcp protocol can run the\\nworker when the relevant msk socket is in an unexpected state:\\n\\nconnect()\\n// incoming reset + fastclose\\n// the mptcp worker is scheduled\\nmptcp_disconnect()\\n// msk is now CLOSED\\nlisten()\\nmptcp_worker()\\n\\nLeading to the following splat:\\n\\ndivide error: 0000 [#1] PREEMPT SMP\\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\nWorkqueue: events mptcp_worker\\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\nFS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \u003cTASK\u003e\\n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\\n kthread+0x138/0x170 kernel/kthread.c:376\\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\\n \u003c/TASK\u003e\\n\\nThis change addresses the issue explicitly checking for bad states\\nbefore running the mptcp worker.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.