{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mptcp: stricter state check in mptcp_worker",
    "id" : "2426134",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426134"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-269",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: stricter state check in mptcp_worker\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\nLeading to the following splat:\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\ntcp_select_window net/ipv4/tcp_output.c:262 [inline]\n__tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\ntcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\ntcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\nmptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\nmptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\nprocess_one_work+0x3bd/0x950 kernel/workqueue.c:2390\nworker_thread+0x5b/0x610 kernel/workqueue.c:2537\nkthread+0x138/0x170 kernel/kthread.c:376\nret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n</TASK>\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker.", "A vulnerability was identified in the Linux kernel’s implementation of the Multipath TCP  protocol handler. Under certain sequences of socket operations (e.g., connecting, resetting/fast-closing, and re-listening), the MPTCP worker could be invoked while the associated master socket is in an unexpected or closed state. This incorrect state handling can cause a divide-error crash during TCP window selection, leading to system instability and potential denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54176\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54176\nhttps://lore.kernel.org/linux-cve-announce/2025123022-CVE-2023-54176-efc2@gregkh/T" ],
  "name" : "CVE-2023-54176",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}