Bug 2420328 (CVE-2023-53839)

Summary: CVE-2023-53839 kernel: dccp: fix data-race around dp->dccps_mss_cache
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A data race vulnerability was found in the DCCP (Datagram Congestion Control Protocol) implementation in the Linux kernel. The dp->dccps_mss_cache variable is read in dccp_sendmsg() and do_dccp_getsockopt() without holding the socket lock, while it can be concurrently modified by other threads. This can lead to use of stale or torn values, potentially causing undefined behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-09 02:03:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dccp: fix data-race around dp->dccps_mss_cache

dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
Same thing in do_dccp_getsockopt().

Add READ_ONCE()/WRITE_ONCE() annotations,
and change dccp_sendmsg() to check again dccps_mss_cache
after socket is locked.
Comment 1 Alexander B 2025-12-10 01:02:46 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120956-CVE-2023-53839-5f7e@gregkh/T