CVE-2023-53072 is a use-after-free (UaF) vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP). MPTCP is an extension of TCP that allows a single connection to use multiple paths to maximize resource usage and increase redundancy. The vulnerability arises from improper handling of socket destruction in the MPTCP passive socket initialization and cleanup process. Specifically, after a refactor of the passive socket initialization, the kernel failed to correctly manage the lifecycle of unaccepted subflow sockets, leading to a use-after-free condition during token lookup operations. This was detected by Kernel Address Sanitizer (KASAN) as a read of freed memory in the __token_bucket_busy function, triggered during MPTCP connection establishment and message sending. The root cause is that the MPTCP socket (msk) and its associated resources were not properly cleaned up when unaccepted subflows were destroyed by TCP internals via inet_child_forget(). The fix involves reusing the existing MPTCP_WORK_CLOSE_SUBFLOW infrastructure to ensure that the cleanup process explicitly checks if the closed subflow is the MPTCP one, whether the msk is unaccepted, and then performs a full cleanup. This guarantees that __mptcp_destroy_sock() is always called on msk sockets, preventing use-after-free scenarios. The patch also removes the need to transiently drop socket references during cloning, simplifying resource management. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using MPTCP, which is increasingly used in environments requiring robust multi-path networking such as data centers, mobile devices, and cloud infrastructure. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2023-53072 can be significant, especially for those relying on Linux-based infrastructure that employs MPTCP for enhanced network performance and reliability. Exploitation of this vulnerability could lead to kernel crashes or potential privilege escalation due to use-after-free conditions, undermining system stability and security. This could disrupt critical services, particularly in sectors like telecommunications, finance, healthcare, and cloud service providers where Linux servers are prevalent. Additionally, compromised systems could be leveraged for lateral movement or persistent footholds within networks. Given the kernel-level nature of the vulnerability, the confidentiality, integrity, and availability of affected systems could be severely impacted if exploited. The lack of known exploits suggests that the threat is currently theoretical but patching is urgent to prevent future attacks. Organizations with high network traffic and multi-path routing configurations are at higher risk.

European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2023-53072 as soon as it becomes available. Until patches are applied, administrators should consider disabling MPTCP if it is not essential, as this will mitigate the attack surface. Monitoring kernel logs for unusual KASAN reports or socket-related errors can help detect exploitation attempts. Network segmentation and strict access controls should be enforced to limit exposure of vulnerable systems. Additionally, organizations should audit their use of MPTCP-enabled applications and services to understand the scope of potential impact. Employing kernel hardening techniques, such as enabling Kernel Page Table Isolation (KPTI) and Kernel Address Space Layout Randomization (KASLR), can reduce exploitation risk. Finally, maintaining up-to-date intrusion detection systems that can identify anomalous kernel behavior is recommended.