VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2023-53781

CVE-2023-53781

Description

In the Linux kernel, the following vulnerability has been resolved:

smc: Fix use-after-free in tcp_write_timer_handler().

With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0]

If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket.

However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers.

The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket().

[0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091

CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace:

dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Linux kernel's SMC socket handling due to TCP timers not being stopped before socket release, allowing local exploitation.

Vulnerability

Overview

The vulnerability resides in the Linux kernel's SMC (Shared Memory Communications) implementation. When an SMC socket is created via __smc_create(), an internal kernel TCP socket is allocated. Upon closing the parent SMC socket, smc_clcsock_release() is supposed to free this kernel socket via sock_release(). However, if the kernel socket's state is not TCP_CLOSE at that point, the TCP timers (such as tcp_write_timer) have not been stopped by inet_csk_destroy_sock(). This leaves a window where the timer can fire after the socket memory has been freed, leading to a use-after-free condition [1].

Exploitation

Conditions

A local attacker can trigger this bug by creating an SMC socket and closing it in a manner that leaves the internal TCP socket in a non-CLOSE state. The attack does not require root privileges; any user able to create AF_SMC sockets (which is typically allowed for unprivileged users if the kernel is built with CONFIG_SMC) can attempt to exploit it. The syzbot fuzzer demonstrated a reproducible case, confirming that the vulnerability is reachable from userspace [1].

Impact

Successful exploitation results in a use-after-free read in tcp_write_timer_handler(), as shown by the KASAN report. This can be leveraged to cause a denial of service (system crash) or, potentially, to escalate privileges if the attacker can control the freed memory. The vulnerability affects all Linux kernel versions prior to the fix.

Mitigation

The fix is included in the kernel commit referenced [1], which adds proper reference counting for the network namespace (net) to ensure the socket is not freed while TCP timers are still active. Users should apply the patch or update to a kernel version that includes this commit. No workaround is available; updating the kernel is the recommended action.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
1cc41c8acfc1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9744d2bf1976
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.