CVE-2023-54085

Description

In the Linux kernel's MPTCP (Multipath TCP) implementation, a NULL pointer dereference vulnerability exists in the fastopen path during early fallback to TCP. When early fallback occurs, subflow_syn_recv_sock() deletes the subflow context before returning the newly allocated socket to the caller. The fastopen path does not handle this scenario and unconditionally dereferences the subflow context, leading to a NULL pointer dereference [1].

Exploitation

An attacker can trigger this vulnerability by establishing an MPTCP connection with fastopen enabled and causing an early fallback to TCP. This requires the target system to have MPTCP and fastopen enabled. The attack can be carried out remotely without authentication, as the condition is triggered during connection setup. However, the exact network requirements depend on the attacker's position, but typically sending crafted MPTCP SYNs that result in fallback can exploit this.

Impact

Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash or denial of service (DoS). There is no evidence of privilege escalation or remote code execution; the impact is limited to availability.

Mitigation

The vulnerability is fixed in the Linux kernel commit referenced [1]. System administrators should apply the latest kernel updates or backport the fix. As of the publication date, no workaround is available for unpatched systems.