CVE-2024-50083
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50083
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50083.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50083
- Downstream
- Related
- Published
- 2024-10-29T00:50:26Z
- Modified
- 2025-10-30T21:38:09.820498Z
- Summary
- tcp: fix mptcp DSS corruption due to large pmtu xmit
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix mptcp DSS corruption due to large pmtu xmit
Syzkaller was able to trigger a DSS corruption:
TCP: requestsocksubflowv4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 mptcpmoveskbsfromsubflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:mptcpmoveskbsfromsubflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> moveskbstomsk net/mptcp/protocol.c:811 [inline] mptcpdataready+0x29c/0xa90 net/mptcp/protocol.c:854 subflowdataready+0x34a/0x920 net/mptcp/subflow.c:1490 tcpdataqueue+0x20fd/0x76c0 net/ipv4/tcpinput.c:5283 tcprcvestablished+0xfba/0x2020 net/ipv4/tcpinput.c:6237 tcpv4dorcv+0x96d/0xc70 net/ipv4/tcpipv4.c:1915 tcpv4rcv+0x2dc0/0x37f0 net/ipv4/tcpipv4.c:2350 ipprotocoldeliverrcu+0x22e/0x440 net/ipv4/ipinput.c:205 iplocaldeliverfinish+0x341/0x5f0 net/ipv4/ipinput.c:233 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 _netifreceiveskbonecore net/core/dev.c:5662 [inline] _netifreceiveskb+0x2bf/0x650 net/core/dev.c:5775 processbacklog+0x662/0x15b0 net/core/dev.c:6107 _napipoll+0xcb/0x490 net/core/dev.c:6771 napipoll net/core/dev.c:6840 [inline] netrxaction+0x89b/0x1240 net/core/dev.c:6962 handlesoftirqs+0x2c5/0x980 kernel/softirq.c:554 dosoftirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> _localbhenableip+0x1bb/0x200 kernel/softirq.c:382 localbhenable include/linux/bottomhalf.h:33 [inline] rcureadunlockbh include/linux/rcupdate.h:919 [inline] _devqueuexmit+0x1764/0x3e80 net/core/dev.c:4451 devqueuexmit include/linux/netdevice.h:3094 [inline] neighhhoutput include/net/neighbour.h:526 [inline] neighoutput include/net/neighbour.h:540 [inline] ipfinishoutput2+0xd41/0x1390 net/ipv4/ipoutput.c:236 iplocalout net/ipv4/ipoutput.c:130 [inline] _ipqueuexmit+0x118c/0x1b80 net/ipv4/ipoutput.c:536 _tcptransmitskb+0x2544/0x3b30 net/ipv4/tcpoutput.c:1466 tcptransmitskb net/ipv4/tcpoutput.c:1484 [inline] tcpmtuprobe net/ipv4/tcpoutput.c:2547 [inline] tcpwritexmit+0x641d/0x6bf0 net/ipv4/tcpoutput.c:2752 _tcppushpendingframes+0x9b/0x360 net/ipv4/tcpoutput.c:3015 tcppushpendingframes include/net/tcp.h:2107 [inline] tcpdatasndcheck net/ipv4/tcpinput.c:5714 [inline] tcprcvestablished+0x1026/0x2020 net/ipv4/tcpinput.c:6239 tcpv4dorcv+0x96d/0xc70 net/ipv4/tcpipv4.c:1915 skbacklogrcv include/net/sock.h:1113 [inline] _releasesock+0x214/0x350 net/core/sock.c:3072 releasesock+0x61/0x1f0 net/core/sock.c:3626 mptcppush ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/229dfdc36f31a8d47433438bc0e6e1662c4ab404
- https://git.kernel.org/stable/c/4dabcdf581217e60690467a37c956a5b8dbc6bd9
- https://git.kernel.org/stable/c/9729010a0ac5945c1bf6847dd0778d8a1a4b72ac
- https://git.kernel.org/stable/c/ba8e65814e519eeb17d086952bce7de93f7a40da
- https://git.kernel.org/stable/c/c38add9ac0e4d4f418e6443a688491499021add9
- https://git.kernel.org/stable/c/db04d1848777ae52a7ab93c4591e7c0bf8f55fb4
- https://security.netapp.com/advisory/ntap-20250523-0010/
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixedc38add9ac0e4d4f418e6443a688491499021add9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixed9729010a0ac5945c1bf6847dd0778d8a1a4b72ac
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixedba8e65814e519eeb17d086952bce7de93f7a40da
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixed229dfdc36f31a8d47433438bc0e6e1662c4ab404
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixeddb04d1848777ae52a7ab93c4591e7c0bf8f55fb4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced85712484110df308215077be6ee21c4e57d7dec2Fixed4dabcdf581217e60690467a37c956a5b8dbc6bd9
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-03dffbad",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dabcdf581217e60690467a37c956a5b8dbc6bd9",
"signature_version": "v1",
"digest": {
"function_hash": "154107775012308247109704799158331448095",
"length": 384.0
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-09cb54a5",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c38add9ac0e4d4f418e6443a688491499021add9",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"92637606384929648435350965660670876570",
"271007823964556942901567628726356277035",
"200751310405286131541862426843215332324",
"231683021609342493533420343397568436668"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-225a72bb",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@229dfdc36f31a8d47433438bc0e6e1662c4ab404",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"58556629512604518004915093336090055433",
"218480437210386747384488049145487351517",
"196456095771775015766348693475038714316",
"262676199946743652291221371952836559333",
"320589282264613255775418002801299936595",
"19773011614728228031515111454135356886"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-2c1e66d2",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db04d1848777ae52a7ab93c4591e7c0bf8f55fb4",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"58556629512604518004915093336090055433",
"218480437210386747384488049145487351517",
"196456095771775015766348693475038714316",
"262676199946743652291221371952836559333",
"320589282264613255775418002801299936595",
"19773011614728228031515111454135356886"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-332be2b3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ba8e65814e519eeb17d086952bce7de93f7a40da",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"58556629512604518004915093336090055433",
"218480437210386747384488049145487351517",
"196456095771775015766348693475038714316",
"262676199946743652291221371952836559333",
"320589282264613255775418002801299936595",
"19773011614728228031515111454135356886"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-3fe652c7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9729010a0ac5945c1bf6847dd0778d8a1a4b72ac",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"92637606384929648435350965660670876570",
"271007823964556942901567628726356277035",
"200751310405286131541862426843215332324",
"231683021609342493533420343397568436668"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-58f1c3ba",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9729010a0ac5945c1bf6847dd0778d8a1a4b72ac",
"signature_version": "v1",
"digest": {
"function_hash": "69556025832197079275294797697104087827",
"length": 316.0
},
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-6b057014",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db04d1848777ae52a7ab93c4591e7c0bf8f55fb4",
"signature_version": "v1",
"digest": {
"function_hash": "212504501433893177198553173064248930523",
"length": 344.0
},
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "net/ipv4/tcp_output.c"
},
"id": "CVE-2024-50083-95f45b72",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dabcdf581217e60690467a37c956a5b8dbc6bd9",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"58556629512604518004915093336090055433",
"218480437210386747384488049145487351517",
"229409811543469100482911337178645673963",
"9617543189082504707088962087650973989",
"73842462072043075872433738065796129373",
"247929842375501507226249450815810926081",
"43610718340937699960333876059345321410"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-b195a690",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@229dfdc36f31a8d47433438bc0e6e1662c4ab404",
"signature_version": "v1",
"digest": {
"function_hash": "212504501433893177198553173064248930523",
"length": 344.0
},
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-be4bad89",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ba8e65814e519eeb17d086952bce7de93f7a40da",
"signature_version": "v1",
"digest": {
"function_hash": "212504501433893177198553173064248930523",
"length": 344.0
},
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"file": "net/ipv4/tcp_output.c",
"function": "tcp_can_coalesce_send_queue_head"
},
"id": "CVE-2024-50083-f3258d45",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c38add9ac0e4d4f418e6443a688491499021add9",
"signature_version": "v1",
"digest": {
"function_hash": "69556025832197079275294797697104087827",
"length": 316.0
},
"deprecated": false
}
]