{"id":"CVE-2023-53088","summary":"mptcp: fix UaF in listener shutdown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix UaF in listener shutdown\n\nAs reported by Christoph after having refactored the passive\nsocket initialization, the mptcp listener shutdown path is prone\nto an UaF issue.\n\n  BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0\n  Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266\n\n  CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6e/0x91\n   print_report+0x16a/0x46f\n   kasan_report+0xad/0x130\n   kasan_check_range+0x14a/0x1a0\n   _raw_spin_lock_bh+0x73/0xe0\n   subflow_error_report+0x6d/0x110\n   sk_error_report+0x3b/0x190\n   tcp_disconnect+0x138c/0x1aa0\n   inet_child_forget+0x6f/0x2e0\n   inet_csk_listen_stop+0x209/0x1060\n   __mptcp_close_ssk+0x52d/0x610\n   mptcp_destroy_common+0x165/0x640\n   mptcp_destroy+0x13/0x80\n   __mptcp_destroy_sock+0xe7/0x270\n   __mptcp_close+0x70e/0x9b0\n   mptcp_close+0x2b/0x150\n   inet_release+0xe9/0x1f0\n   __sock_release+0xd2/0x280\n   sock_close+0x15/0x20\n   __fput+0x252/0xa20\n   task_work_run+0x169/0x250\n   exit_to_user_mode_prepare+0x113/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe msk grace period can legitly expire in between the last\nreference count dropped in mptcp_subflow_queue_clean() and\nthe later eventual access in inet_csk_listen_stop()\n\nAfter the previous patch we don't need anymore special-casing\nmsk listener socket cleanup: the mptcp worker will process each\nof the unaccepted msk sockets.\n\nJust drop the now unnecessary code.\n\nPlease note this commit depends on the two parent ones:\n\n  mptcp: refactor passive socket initialization\n  mptcp: use the workqueue to destroy unaccepted sockets","modified":"2026-04-11T11:57:20.399373Z","published":"2025-05-02T15:55:34.840Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53088.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53088.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53088"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6aeed9045071f2252ff4e98fc13d1e304f33e5b0"},{"fixed":"5564be74a22a61855f8b8c100d8c4abb003bb792"},{"fixed":"0f4f4cf5d32f10543deb946a37111e714579511e"},{"fixed":"0a3f4f1f9c27215e4ddcd312558342e57b93e518"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"a8a3e95c74e48c2c9b07b81fafda9122993f2e12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53088.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"6.1.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53088.json"}}],"schema_version":"1.7.5"}