{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2023-54142", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T13:02:52.523Z", "datePublished": "2025-12-24T13:06:56.204Z", "dateUpdated": "2026-05-23T15:33:09.985Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:33:09.985Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n \n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/gtp.c" ], "versions": [ { "version": "01f3c64e405ab3d25887d080a103ad76f30661d2", "lessThan": "d38039697184aacff1cf576e14ef583112fdefef", "status": "affected", "versionType": "git" }, { "version": "e117a04133c673cc54292e12086a8177cd9bd4a4", "lessThan": "e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "9c9662e2512b5e4ee7b03108802c5222e0fa77a4", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "bccc7ace12e69dee4684a3bb4b69737972e570d6", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "ebd6d2077a083329110695a996c00e8ca94bc640", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "17d6b6354f0025b7c10a56da783fd0cbb3819c5d", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "dae6095bdb24f537b4798ffd9201515b97bac94e", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "58fa341327fdb4bdf92597fd8796a9abc8d20ea3", "status": "affected", "versionType": "git" }, { "version": "e198987e7dd7d3645a53875151cd6f8fc425b706", "lessThan": "ce3aee7114c575fab32a5e9e939d4bbb3dcca79f", "status": "affected", "versionType": "git" }, { "version": "bf75202df8e473d4ee914894542f213158066d8b", "status": "affected", "versionType": "git" }, { "version": "76357f65f18f180f44ccbbbf713461881d0ab219", "status": "affected", "versionType": "git" }, { "version": "4.14.135", "lessThan": "4.14.322", "status": "affected", "versionType": "semver" }, { "version": "4.19.61", "lessThan": "4.19.291", "status": "affected", "versionType": "semver" }, { "version": "5.1.20", "lessThan": "5.2", "status": "affected", "versionType": "semver" }, { "version": "5.2.3", "lessThan": "5.3", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/gtp.c" ], "versions": [ { "version": "5.3", "status": "affected" }, { "version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver" }, { "version": "4.14.322", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver" }, { "version": "4.19.291", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.251", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.188", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.121", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.39", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.3.13", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.4.4", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.135", "versionEndExcluding": "4.14.322" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.61", "versionEndExcluding": "4.19.291" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.4.251" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.10.188" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.15.121" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1.39" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.3.13" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.4.4" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.5" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1.20" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.3" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef" }, { "url": "https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6" }, { "url": "https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4" }, { "url": "https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6" }, { "url": "https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640" }, { "url": "https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d" }, { "url": "https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e" }, { "url": "https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3" }, { "url": "https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f" } ], "title": "gtp: Fix use-after-free in __gtp_encap_destroy().", "x_generator": { "engine": "bippy-1.2.0" } } } }