VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54176

CVE-2023-54176

Description

In the Linux kernel, the following vulnerability has been resolved:

mptcp: stricter state check in mptcp_worker

As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state:

connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker()

Leading to the following splat:

divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308

This change addresses the issue explicitly checking for bad states before running the mptcp worker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing state check in the Linux kernel's MPTCP worker can cause a divide error crash when the socket is unexpectedly closed and then listened on.

Vulnerability

In the Linux kernel's MPTCP implementation, the mptcp_worker function lacked a strict state check before processing. As reported by Christoph, the worker can be scheduled when the MPTCP socket (msk) is in an unexpected state, such as after a concurrent mptcp_disconnect() that transitions the socket to CLOSED, followed by a listen() call. This leads to the worker running on a socket in a state it does not handle correctly.

Exploitation

The attack surface is local; an attacker would need to be able to trigger a specific sequence of MPTCP operations: a connection that receives a reset and fastclose, then a disconnect, and finally a listen on the same socket. This can be achieved by a local user with the ability to create and manipulate MPTCP sockets. No authentication is required beyond the ability to execute code that uses the MPTCP protocol.

Impact

When the worker runs in this invalid state, it can cause a divide error (division by zero) in __tcp_select_window, leading to a kernel crash (oops). This results in a denial of service (DoS) for the system. The crash trace shows the error occurs in the TCP window calculation path, triggered by `mptcp_fastclose handling within the MPTCP worker.

Mitigation

The fix adds an explicit check for bad socket states before the worker proceeds, preventing the crash. The patch has been applied to the stable kernel tree [1][2]. Users should update to a kernel version containing this fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
f0b4a4086cf2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aff9099e9c51
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
19ea79e87af3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d6a044373343
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.