CVE-2023-52986: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52986 is a vulnerability discovered in the Linux kernel related to the BPF sockmap functionality. The issue was disclosed and documented on March 27, 2025. The vulnerability specifically affects the TCP socket handling when using sockmap features, where a listening socket linked to a sockmap has its sk_prot incorrectly handled during socket cloning operations (NVD).

The vulnerability occurs when a listening socket linked to a sockmap has its skprot overridden, pointing to one of the struct proto variants in tcpbpfprots. The issue manifests during the socket cloning process where the child socket inherits the skprot from the TCP listener. The tcpbpfclone function incorrectly checks only for the TCPBPFBASE proto variant instead of all tcpbpfprots variants. This leads to the child socket unintentionally retaining the inherited sk_prot, potentially causing infinite recursion on close operations due to improper state setup (Debian Security).

When exploited, this vulnerability can lead to infinite recursion on socket close operations, as the child socket state is not properly configured for tcpbpfprot operations. This can potentially affect system stability and performance in environments where BPF sockmap functionality is utilized (NVD).

The vulnerability has been fixed in various Linux kernel versions. Fixed versions include Linux kernel 5.10.223-1 for Debian Bullseye, 6.1.129-1 for Bookworm, and 6.12.21-1 for Sid/Trixie. The fix involves adjusting the check in tcpbpfclone to properly detect all tcpbpfprots variants (Debian Security).