CVE-2023-54176

Published: Dic 30, 2025 Last Modified: Dic 31, 2025

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

mptcp: stricter state check in mptcp_worker

As reported by Christoph, the mptcp protocol can run the
worker when the relevant msk socket is in an unexpected state:

connect()
// incoming reset + fastclose
// the mptcp worker is scheduled
mptcp_disconnect()
// msk is now CLOSED
listen()
mptcp_worker()

Leading to the following splat:

divide error: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018
RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004
RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000
R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:262 [inline]
__tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345
tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]
tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459
mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]
mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705
process_one_work+0x3bd/0x950 kernel/workqueue.c:2390
worker_thread+0x5b/0x610 kernel/workqueue.c:2537
kthread+0x138/0x170 kernel/kthread.c:376
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>

This change addresses the issue explicitly checking for bad states
before running the mptcp worker.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

mptcp: controllo più rigoroso dello stato in mptcp_worker

Come segnalato da Christoph, il protocollo mptcp può eseguire il worker quando il socket msk rilevante si trova in uno stato inatteso:

connect()
// reset in arrivo + fastclose
// il worker mptcp viene pianificato
mptcp_disconnect()
// il socket msk è ora CLOSED
listen()
mptcp_worker()

Portando al seguente splat:

Questa modifica affronta il problema verificando esplicitamente gli stati non corretti prima di eseguire il worker mptcp.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,1th

Updated

EPSS Score Trend (Last 75 Days)

https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84…

https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678

https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2…

https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54

https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fe…

https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e

https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da…

https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc

CVE-2023-54176

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 75 Days)

Iscriviti alla newsletter