- Description
- In the Linux kernel, the following vulnerability has been resolved: mptcp: clear 'kern' flag from fallback sockets The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket). But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work. This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket: BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 Call Trace: tcp_data_ready+0xf8/0x370 [..]
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 5.5
- Impact score
- 3.6
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Severity
- MEDIUM
- nvd@nist.gov
- CWE-476
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "38A89EC4-168A-4514-A383-6B85436E12DE",
"versionEndExcluding": "5.10.88",
"versionStartIncluding": "5.6"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "11274E95-438A-449A-B100-01B2B0046669",
"versionEndExcluding": "5.15.11",
"versionStartIncluding": "5.11"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "357AA433-37E8-4323-BFB2-3038D6E4B414"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A73429BA-C2D9-4D0C-A75F-06A1CA8B3983"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F621B5E3-E99D-49E7-90B9-EC3B77C95383"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F7BFDCAA-1650-49AA-8462-407DD593F94F"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6EC9882F-866D-4ACB-8FBC-213D8D8436C8"
}
],
"operator": "OR"
}
]
}
]