CVE-2023-53831
Description
In the Linux kernel, the following vulnerability has been resolved:
net: read sk->sk_family once in sk_mc_loop()
syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
We have many more similar issues to fix.
WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 Modules linked in: CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: events_power_efficient gc_worker RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 RSP: 0018:ffffc90000388530 EFLAGS: 00010246 RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:
[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4925 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 [] qdisc_restart net/sched/sch_generic.c:407 [inline] [] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 [] invoke_softirq kernel/softirq.c:430 [inline] [] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, sk_mc_loop() reads sk->sk_family without locking, leading to a data race that can trigger a WARN_ON_ONCE and potential system crash.
Vulnerability
Description
In the Linux kernel's networking subsystem, the function sk_mc_loop() in net/core/sock.c improperly accesses the socket's sk_family field without proper synchronization. The kernel's sk_mc_loop() function reads sk->sk_family multiple times, allowing a concurrent operation (such as the IPV6_ADDRFORM socket option) to change the field between reads. This race condition causes the function to operate on inconsistent data, leading to a WARN_ON_ONCE(1) warning and a potential system crash [1].
Exploitation
Path
The vulnerability can be triggered by leveraging the IPV6_ADDRFORM socket option, which converts an IPv6 socket to IPv4. An attacker who can influence socket operations on the same socket concurrently may cause a data race. No special privileges are required to trigger this race, and it can be exploited by unprivileged processes that can create and manipulate IPv6 sockets. The race manifests when sk_mc_loop() is called during network output processing (e.g., in ip6_finish_output2) while another thread modifies the socket's address family [1][2].
Impact
Successful exploitation results in a kernel warning (WARN_ON_ONCE) and potential denial of service due to a system crash or hang. While the primary consequence is a kernel panic, the race condition could theoretically be leveraged for further memory corruption if the inconsistent state is exploited. The vulnerability primarily affects system stability and availability [1].
Mitigation
The fix ensures that sk->sk_family is read only once at the beginning of sk_mc_loop() and the cached value is used thereafter, preventing the race condition. Patches have been applied to the Linux kernel stable trees [2][3][4]. Users are advised to update their kernels to versions including the fix or apply the relevant patch. There is no known workaround other than applying the kernel update.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8e918d0211ffba3e0fdf71bbe7586a66b9c4f41f10a4d78fe895dc4c47171ed4e0adfa4079036b6342fcdb1f5b890b89cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/41f10a4d78fe69d685a3172e6884297f233dcf95nvd
- git.kernel.org/stable/c/7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89bnvd
- git.kernel.org/stable/c/895dc4c47171a20035cdaa8d74c1c1e97f2fc974nvd
- git.kernel.org/stable/c/9036b6342fcdab190d6edce3dd447859c1de90fcnvd
- git.kernel.org/stable/c/a3e0fdf71bbe031de845e8e08ed7fba49f9c702cnvd
- git.kernel.org/stable/c/b1f5b890b89cb38a6c0bac91984d56cd69808e8cnvd
- git.kernel.org/stable/c/e918d0211ffbaf039447334c3460cafee1ce0157nvd
- git.kernel.org/stable/c/ed4e0adfa407ab65dd73b8862ebf2f308a0349d2nvd
News mentions
0No linked articles in our index yet.