Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-54176— mptcp: stricter state check in mptcp_worker

EPSS 0.03% · P10
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-54176

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mptcp: stricter state check in mptcp_worker
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: stricter state check in mptcp_worker As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state: connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker() Leading to the following splat: divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> This change addresses the issue explicitly checking for bad states before running the mptcp worker.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于mptcp_worker状态检查不严格,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux e16163b6e2b720fb74e5af758546f6dad27e6c9e ~ f0b4a4086cf27240fc621a560da9735159049dcc -
LinuxLinux 5.11 -

II. Public POCs for CVE-2023-54176

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-54176

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-12-30 · 244 CVEs total

CVE-2023-54265ipv6: Fix an uninit variable access bug in __ip6_make_skb()
CVE-2023-54249bus: mhi: ep: Only send -ENOTCONN status if client driver is available
CVE-2023-54251net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
CVE-2023-54253btrfs: set page extent mapped after read_folio in relocate_one_page
CVE-2023-54252platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings
CVE-2023-54254drm/ttm: Don't leak a resource on eviction error
CVE-2023-54255sh: dma: Fix DMA channel offset calculation
CVE-2023-54257net: macb: fix a memory corruption in extended buffer descriptor mode
CVE-2023-54258cifs: fix potential oops in cifs_oplock_break
CVE-2023-54259soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow
CVE-2023-54260cifs: Fix lost destroy smbd connection when MR allocate failed
CVE-2023-54261drm/amdkfd: Add missing gfx11 MQD manager callbacks
CVE-2023-54262net/mlx5e: Don't clone flow post action attributes second time
CVE-2023-54263drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP
CVE-2023-54264fs/sysv: Null check to prevent null-ptr-deref bug
CVE-2023-54266media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
CVE-2023-54275wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup
CVE-2023-54276nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
CVE-2023-54278s390/vmem: split pages when debug pagealloc is enabled
CVE-2023-54274RDMA/srpt: Add a check for valid 'mad_agent' pointer

Showing top 20 of 244 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2023-54176

No comments yet

Leave a comment