[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2023-53781":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-15T22:50:23.791Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":33},"DEBIAN-CVE-2023-53781","In the Linux kernel, the following vulnerability has been resolved:  smc: Fix use-after-free in tcp_write_timer_handler().  With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0]  If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket.  However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE.  This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers.  The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket().  [0]: leaked reference.  sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)  inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)  __sock_create (net/socket.c:1546)  smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)  __sock_create (net/socket.c:1546)  __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)  __x64_sys_socket (net/socket.c:1672)  do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091  CPU: 0 PID: 18091 Comm: syzrepro Tainted: G        W          6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace:  \u003CIRQ>  dump_stack_lvl (lib/dump_stack.c:107)  print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)  kasan_report (mm/kasan/report.c:538)  tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)  tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)  call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)  __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)  run_timer_softirq (kernel/time/timer.c:2037)  __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)  __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)  irq_exit_rcu (kernel/softirq.c:664)  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))  \u003C/IRQ>",null,[],[],[],[14],{"_key":15},"CVE-2023-53781",[],[],[],"2025-12-09T01:16:49.280Z","2026-06-15T19:04:52.161565395Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2023-53781",[27],"osv_debian",[29],"Advisory",[],[],[],[34],{"ecosystem":35,"name":36,"vendor":37,"product":36,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":36,"source":9,"versions":39},"Debian","linux","debian","deb",[40,44,45,49],{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":46,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":47,"version_end_type":48,"fixed_in":9},"lt6_3_7_1","6.3.7-1","excluding",{"version":46,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":47,"version_end_type":48,"fixed_in":9}]