CVE-2021-47593

MEDIUM

Linux Kernel 5.6-5.10.88 5.15.11-5.15.* 5.16 - NULL Pointer Dereference in MPTCP Subflow Extension

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: clear 'kern' flag from fallback sockets The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket). But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work. This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket: BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 Call Trace: tcp_data_ready+0xf8/0x370 [..]

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/451f1eded7f56e93aaf52eb547ba97742d9c0e97

Patch

https://git.kernel.org/stable/c/c26ac0ea3a91c210cf90452e625dc441adf3e549

Patch

https://git.kernel.org/stable/c/d6692b3b97bdc165d150f4c1505751a323a80717

Scores

CVSS v3 5.5

EPSS 0.0025

EPSS Percentile 15.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (10)

Linux/Linux < 5.6

Linux/Linux 5.10.88 - 5.10.*

Linux/Linux 5.15.11 - 5.15.*

Linux/Linux 5.16

Linux/Linux 5.6

Linux/Linux cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be - 451f1eded7f56e93aaf52eb547ba97742d9c0e97

Linux/Linux cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be - c26ac0ea3a91c210cf90452e625dc441adf3e549

Linux/Linux cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be - d6692b3b97bdc165d150f4c1505751a323a80717

linux/linux_kernel 5.16 rc1 (5 CPE variants)

linux/linux_kernel 5.6 - 5.10.88

Published Jun 19, 2024

Tracked Since Feb 18, 2026