CVE-2026-31669 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-04-24 | Assigner Linux

Product status

Default status

unaffected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before fb1f54b7d16f393b8b65d328410f78b4beea8fcc

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before 3fd6547f5b8ac99687be6d937a0321efda760597

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before eb9c6aeb512f877cf397deb1e4526f646c70e4a7

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before 15fa9ead4d5e6b6b9c794e84144146c917f2cb62

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before b313e9037d98c13938740e5ebda7852929366dff

affected

b19bc2945b40b9fd38e835700907ffe8534ef0de (git) before 9b55b253907e7431210483519c5ad711a37dafa1

affected

Default status

affected

5.12

affected

Any version before 5.12

unaffected

5.15.203 (semver)

unaffected

6.1.169 (semver)

unaffected

6.6.135 (semver)

unaffected

6.12.82 (semver)

unaffected

6.18.23 (semver)

unaffected

6.19.13 (semver)

unaffected

7.0 (original_commit_for_fix)

unaffected

References

git.kernel.org/...c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47

git.kernel.org/...c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc

git.kernel.org/...c/3fd6547f5b8ac99687be6d937a0321efda760597

git.kernel.org/...c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7

git.kernel.org/...c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62

git.kernel.org/...c/b313e9037d98c13938740e5ebda7852929366dff

git.kernel.org/...c/9b55b253907e7431210483519c5ad711a37dafa1

cve.org (CVE-2026-31669)

nvd.nist.gov (CVE-2026-31669)

Download JSON