{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54176", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.496Z", "datePublished": "2025-12-30T12:08:48.915Z", "dateUpdated": "2025-12-30T12:08:48.915Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:08:48.915Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\n\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\n\nLeading to the following splat:\n\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\n kthread+0x138/0x170 kernel/kthread.c:376\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n </TASK>\n\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e", "lessThan": "f0b4a4086cf27240fc621a560da9735159049dcc", "status": "affected", "versionType": "git"}, {"version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e", "lessThan": "aff9099e9c51f15c8def05c75b2b73e8487b5d54", "status": "affected", "versionType": "git"}, {"version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e", "lessThan": "19ea79e87af32c2b3c6fc49bd84efeb35ca57678", "status": "affected", "versionType": "git"}, {"version": "e16163b6e2b720fb74e5af758546f6dad27e6c9e", "lessThan": "d6a0443733434408f2cbd4c53fea6910599bab9e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "5.11", "status": "affected"}, {"version": "0", "lessThan": "5.11", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.108", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.25", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.12", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.108"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.1.25"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.2.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc"}, {"url": "https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54"}, {"url": "https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678"}, {"url": "https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e"}], "title": "mptcp: stricter state check in mptcp_worker", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\n\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\n\nLeading to the following splat:\n\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\n kthread+0x138/0x170 kernel/kthread.c:376\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n </TASK>\n\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker."}], "id": "CVE-2023-54176", "lastModified": "2025-12-30T13:16:05.470", "metrics": {}, "published": "2025-12-30T13:16:05.470", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}