{"id":"CVE-2023-54176","summary":"mptcp: stricter state check in mptcp_worker","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\n\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\n\nLeading to the following splat:\n\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\n kthread+0x138/0x170 kernel/kthread.c:376\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \u003c/TASK\u003e\n\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker.","modified":"2026-03-20T12:33:29.271024Z","published":"2025-12-30T12:08:48.915Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54176.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54176.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54176"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e16163b6e2b720fb74e5af758546f6dad27e6c9e"},{"fixed":"f0b4a4086cf27240fc621a560da9735159049dcc"},{"fixed":"aff9099e9c51f15c8def05c75b2b73e8487b5d54"},{"fixed":"19ea79e87af32c2b3c6fc49bd84efeb35ca57678"},{"fixed":"d6a0443733434408f2cbd4c53fea6910599bab9e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54176.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.108"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.25"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54176.json"}}],"schema_version":"1.7.5"}