CVE-2026-31669
- Source
- https://cve.org/CVERecord?id=CVE-2026-31669
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31669.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31669
- Downstream
- Related
- Published
- 2026-04-24T14:45:17.295Z
- Modified
- 2026-06-23T15:29:18.828273718Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- mptcp: fix slab-use-after-free in __inet_lookup_established
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inetlookupestablished
The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot have their slab caches created with this flag via protoregister().
However, MPTCP's mptcpsubflowinit() copies tcpv6prot into tcpv6protoverride during inetinit() (fsinitcall, level 5), before inet6init() (moduleinit/deviceinitcall, level 6) has called protoregister(&tcpv6prot). At that point, tcpv6prot.slab is still NULL, so tcpv6prot_override.slab remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLABTYPESAFEBYRCU, so when these sockets are freed without SOCKRCUFREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcuread_lock can then access freed memory, triggering a slab-use-after-free in __inetlookupestablished.
Fix this by splitting the IPv6-specific initialization out of mptcpsubflowinit() into a new mptcpsubflowv6init(), called from mptcpprotov6init() before protocol registration. This ensures tcpv6protoverride.slab correctly inherits the SLABTYPESAFEBY_RCU slab cache.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31669.json" }- References
-
- https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62
- https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597
- https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1
- https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff
- https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7
- https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
- https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31669.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31669
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb19bc2945b40b9fd38e835700907ffe8534ef0deFixedf6e1f25fa5e733570f6d6fe37a4dfed2a0deba47Fixedfb1f54b7d16f393b8b65d328410f78b4beea8fccFixed3fd6547f5b8ac99687be6d937a0321efda760597Fixedeb9c6aeb512f877cf397deb1e4526f646c70e4a7Fixed15fa9ead4d5e6b6b9c794e84144146c917f2cb62Fixedb313e9037d98c13938740e5ebda7852929366dffFixed9b55b253907e7431210483519c5ad711a37dafa1
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.12.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.169
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.135
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.82
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.23
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.13