{"id":"CVE-2023-53072","summary":"mptcp: use the workqueue to destroy unaccepted sockets","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use the workqueue to destroy unaccepted sockets\n\nChristoph reported a UaF at token lookup time after having\nrefactored the passive socket initialization part:\n\n  BUG: KASAN: use-after-free in __token_bucket_busy+0x253/0x260\n  Read of size 4 at addr ffff88810698d5b0 by task syz-executor653/3198\n\n  CPU: 1 PID: 3198 Comm: syz-executor653 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6e/0x91\n   print_report+0x16a/0x46f\n   kasan_report+0xad/0x130\n   __token_bucket_busy+0x253/0x260\n   mptcp_token_new_connect+0x13d/0x490\n   mptcp_connect+0x4ed/0x860\n   __inet_stream_connect+0x80e/0xd90\n   tcp_sendmsg_fastopen+0x3ce/0x710\n   mptcp_sendmsg+0xff1/0x1a20\n   inet_sendmsg+0x11d/0x140\n   __sys_sendto+0x405/0x490\n   __x64_sys_sendto+0xdc/0x1b0\n   do_syscall_64+0x3b/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nWe need to properly clean-up all the paired MPTCP-level\nresources and be sure to release the msk last, even when\nthe unaccepted subflow is destroyed by the TCP internals\nvia inet_child_forget().\n\nWe can re-use the existing MPTCP_WORK_CLOSE_SUBFLOW infra,\nexplicitly checking that for the critical scenario: the\nclosed subflow is the MPC one, the msk is not accepted and\neventually going through full cleanup.\n\nWith such change, __mptcp_destroy_sock() is always called\non msk sockets, even on accepted ones. We don't need anymore\nto transiently drop one sk reference at msk clone time.\n\nPlease note this commit depends on the parent one:\n\n  mptcp: refactor passive socket initialization","modified":"2026-04-11T12:46:40.806833Z","published":"2025-05-02T15:55:23.765Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53072.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2827f099b3fb9a59263c997400e9182f5d423e84"},{"type":"WEB","url":"https://git.kernel.org/stable/c/804cf487fb0031f3c74755b78d8663333f0ba636"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6985b9b82954caa53f862d6059d06c0526254f0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53072.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53072"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"58b09919626bf9067345289212ec030c61eb1034"},{"fixed":"2827f099b3fb9a59263c997400e9182f5d423e84"},{"fixed":"804cf487fb0031f3c74755b78d8663333f0ba636"},{"fixed":"b6985b9b82954caa53f862d6059d06c0526254f0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53072.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"6.1.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53072.json"}}],"schema_version":"1.7.5"}