{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53088","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-02T15:51:43.551Z","datePublished":"2025-05-02T15:55:34.840Z","dateUpdated":"2026-05-23T15:27:58.164Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-23T15:27:58.164Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix UaF in listener shutdown\n\nAs reported by Christoph after having refactored the passive\nsocket initialization, the mptcp listener shutdown path is prone\nto an UaF issue.\n\n  BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0\n  Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266\n\n  CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x6e/0x91\n   print_report+0x16a/0x46f\n   kasan_report+0xad/0x130\n   kasan_check_range+0x14a/0x1a0\n   _raw_spin_lock_bh+0x73/0xe0\n   subflow_error_report+0x6d/0x110\n   sk_error_report+0x3b/0x190\n   tcp_disconnect+0x138c/0x1aa0\n   inet_child_forget+0x6f/0x2e0\n   inet_csk_listen_stop+0x209/0x1060\n   __mptcp_close_ssk+0x52d/0x610\n   mptcp_destroy_common+0x165/0x640\n   mptcp_destroy+0x13/0x80\n   __mptcp_destroy_sock+0xe7/0x270\n   __mptcp_close+0x70e/0x9b0\n   mptcp_close+0x2b/0x150\n   inet_release+0xe9/0x1f0\n   __sock_release+0xd2/0x280\n   sock_close+0x15/0x20\n   __fput+0x252/0xa20\n   task_work_run+0x169/0x250\n   exit_to_user_mode_prepare+0x113/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe msk grace period can legitly expire in between the last\nreference count dropped in mptcp_subflow_queue_clean() and\nthe later eventual access in inet_csk_listen_stop()\n\nAfter the previous patch we don't need anymore special-casing\nmsk listener socket cleanup: the mptcp worker will process each\nof the unaccepted msk sockets.\n\nJust drop the now unnecessary code.\n\nPlease note this commit depends on the two parent ones:\n\n  mptcp: refactor passive socket initialization\n  mptcp: use the workqueue to destroy unaccepted sockets"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"6aeed9045071f2252ff4e98fc13d1e304f33e5b0","lessThan":"5564be74a22a61855f8b8c100d8c4abb003bb792","status":"affected","versionType":"git"},{"version":"6aeed9045071f2252ff4e98fc13d1e304f33e5b0","lessThan":"0f4f4cf5d32f10543deb946a37111e714579511e","status":"affected","versionType":"git"},{"version":"6aeed9045071f2252ff4e98fc13d1e304f33e5b0","lessThan":"0a3f4f1f9c27215e4ddcd312558342e57b93e518","status":"affected","versionType":"git"},{"version":"a8a3e95c74e48c2c9b07b81fafda9122993f2e12","status":"affected","versionType":"git"},{"version":"5.18.10","lessThan":"5.19","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","status":"unaffected","versionType":"semver"},{"version":"6.1.22","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.8","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.1.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.2.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792"},{"url":"https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e"},{"url":"https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518"}],"title":"mptcp: fix UaF in listener shutdown","x_generator":{"engine":"bippy-1.2.0"}}}}