{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smc: Fix use-after-free in tcp_write_timer_handler()",
    "id" : "2420279",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420279"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmc: Fix use-after-free in tcp_write_timer_handler().\nWith Eric's ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket's sk_state might not be TCP_CLOSE.  This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\nThe kernel socket's TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n[0]:\nleaked reference.\nsk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\ninet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n__sock_create (net/socket.c:1546)\nsmc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n__sock_create (net/socket.c:1546)\n__sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n__x64_sys_socket (net/socket.c:1672)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G        W          6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n<IRQ>\ndump_stack_lvl (lib/dump_stack.c:107)\nprint_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\nkasan_report (mm/kasan/report.c:538)\ntcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\ntcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\ncall_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n__run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\nrun_timer_softirq (kernel/time/timer.c:2037)\n__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n__irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\nirq_exit_rcu (kernel/softirq.c:664)\nsysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n</IRQ>" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53781\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53781\nhttps://lore.kernel.org/linux-cve-announce/2025120939-CVE-2023-53781-cb1d@gregkh/T" ],
  "name" : "CVE-2023-53781",
  "csaw" : false
}