CVE-2026-31669

EUVD-2026-25562
In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix slab-use-after-free in __inet_lookup_established

The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().

However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.

This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.

Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.12.1 ≤
𝑥
< 5.15.203
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.169
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.135
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.82
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.23
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.13
linuxlinux_kernel
5.12
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
linuxlinux_kernel
7.0:rc7
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
dlm-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-64kb
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default-base
suse enterprise server 15 SP4
5.14.21-150400.24.219.1.150400.24.110.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1.150600.12.52.1
fixed
kernel-docs
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-macros
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-obs-build
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-source
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-syms
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.219.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
bpftool6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-debuginfo
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-devel
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-headers
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-livepatch-6.1.170-210.320
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.12.83-113.160
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-55.108
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-tools
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
perf
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
perf-debuginfo
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
python3-perf
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
1:6.1.170-210.320.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.137.1-1.azl3
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62
https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597
https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1
https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff
https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7
https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc