CVE-2026-31669
Description
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
85cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.12.1,<5.15.203
- cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- osv-coords76 versionspkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 4.18.0-553.134.1.el8_10+ 75 more
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.rt7.475.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 4.18.0-553.134.1.el8_10
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
Patches
Vulnerability mechanics
References
7- git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62nvdPatch
- git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597nvdPatch
- git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1nvdPatch
- git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dffnvdPatch
- git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7nvdPatch
- git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47nvdPatch
- git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fccnvdPatch
News mentions
0No linked articles in our index yet.