CVE-2023-53781 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

smc: Fix use-after-free in tcp_write_timer_handler().

With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0]

If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket.

However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers.

The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket().

[0]:
leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091

CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability identified as CVE-2023-53781 resides within the Linux kernel's implementation of the Scalable Reliable Communication (SMC) protocol, specifically in the handling of TCP socket lifecycle management. This issue manifests as a use-after-free condition in the tcp_write_timer_handler function, which occurs when SMC attempts to manage kernel sockets created during the socket creation process. The flaw is particularly significant because it involves improper reference counting for network namespaces, leading to potential memory corruption and system instability.

The technical root cause stems from a discrepancy in how SMC handles socket cleanup when closing SMC sockets. When __smc_create() is invoked, it generates a kernel socket that should be properly released through smc_clcsock_release() by calling sock_release(). However, the vulnerability arises because the kernel socket's socket state may not transition to TCP_CLOSE before the cleanup process completes. This incomplete state transition prevents the execution of inet_csk_destroy_sock() within __tcp_close(), which is responsible for stopping TCP timers and cleaning up timer-related resources. Consequently, TCP timers that were scheduled for the kernel socket can fire after the memory has been freed, leading to a use-after-free scenario.

This vulnerability aligns with CWE-416, which describes the use of freed memory condition, and is particularly relevant to the ATT&CK technique T1059.001, which involves executing commands through system binaries. The flaw enables an attacker to potentially corrupt kernel memory and execute arbitrary code with kernel privileges, as demonstrated by the KASAN report showing the use-after-free in tcp_write_timer_handler. The vulnerability is triggered through the SMC socket creation and closure process, where the kernel socket's reference count is not properly maintained, allowing timer callbacks to access freed memory.

The operational impact of this vulnerability is severe, as it can lead to system crashes, data corruption, and privilege escalation. The use-after-free condition occurs during the TCP timer callback execution, which means that even a benign network operation could trigger the vulnerability. Attackers could exploit this by creating SMC sockets and then closing them in a specific sequence, causing the kernel to schedule TCP timers on already freed memory structures. The vulnerability is particularly concerning in environments where SMC is actively used, as it could be leveraged to cause denial of service or gain elevated privileges within the kernel space.

Mitigation strategies for CVE-2023-53781 should focus on ensuring proper reference counting for network namespaces associated with kernel sockets created by SMC. The fix must ensure that when smc_clcsock_release() is executed, the kernel socket's reference count is properly maintained to prevent premature memory deallocation. This aligns with the recommended practices for preventing use-after-free conditions in kernel code and follows the established patterns used for MPTCP subflows, where net namespace references are properly held. System administrators should apply the relevant kernel patches that address this specific issue, as the vulnerability is a direct result of improper resource management in the kernel's TCP timer subsystem. The fix should also include verification that TCP timers are properly cancelled before socket memory is freed, preventing any potential timer callbacks from accessing freed structures.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00162

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!