VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54142

CVE-2023-54142

Description

In the Linux kernel, the following vulnerability has been resolved:

gtp: Fix use-after-free in __gtp_encap_destroy().

syzkaller reported use-after-free in __gtp_encap_destroy(). [0]

It shows the same process freed sk and touched it illegally.

Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt.

[0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401

CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace:

__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000

Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated---

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free bug in the Linux kernel's GTP driver occurs when the socket's last reference is released before releasing its lock, allowing local privilege escalation.

Vulnerability

CVE-2023-54142 is a use-after-free vulnerability in the Linux kernel's GTP (GPRS Tunneling Protocol) driver, specifically in the __gtp_encap_destroy() function. The root cause is an incorrect ordering of operations: sock_put() (which may release the final reference to the socket and free it) is called before release_sock(). Although earlier commit e198987e7dd7 attempted to fix a related RCU issue by adding lock_sock()/release_sock(), it introduced this lifetime bug where the socket can be freed while still being accessed [1].

Exploitation

An attacker who can trigger the GTP encapsulation destroy path—typically by closing a GTP socket or removing a GTP device—can cause the kernel to access freed socket memory. The attack requires local access and the ability to create or manipulate GTP interfaces, which currently requires the CAP_NET_ADMIN capability. No special network position is needed beyond local execution [2].

Impact

Successful exploitation leads to a kernel panic (denial of service) via the use-after-free, as demonstrated by Syzkaller reports showing KASAN slab-use-after-free warnings. In some configurations, the out-of-bounds write could potentially be leveraged for local privilege escalation, although the primary impact is system crash [3].

Mitigation

The fix reorders the operations so that release_sock() is called before sock_put(), ensuring the socket lock is released while the socket is still alive. The patches are applied in the upstream Linux kernel and backported to stable versions including 5.15, 6.1, 6.6, and 6.7. Users should update their kernel to the latest stable release to remediate this vulnerability [4].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

9
d38039697184
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e5aa6d829831
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9c9662e2512b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
bccc7ace12e6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ebd6d2077a08
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
17d6b6354f00
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dae6095bdb24
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
58fa341327fd
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ce3aee7114c5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.