{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31669","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.130Z","datePublished":"2026-04-24T14:45:17.295Z","dateUpdated":"2026-04-27T14:04:53.478Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-04-27T14:04:53.478Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP's mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(&tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"fb1f54b7d16f393b8b65d328410f78b4beea8fcc","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"3fd6547f5b8ac99687be6d937a0321efda760597","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"eb9c6aeb512f877cf397deb1e4526f646c70e4a7","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"15fa9ead4d5e6b6b9c794e84144146c917f2cb62","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"b313e9037d98c13938740e5ebda7852929366dff","status":"affected","versionType":"git"},{"version":"b19bc2945b40b9fd38e835700907ffe8534ef0de","lessThan":"9b55b253907e7431210483519c5ad711a37dafa1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/protocol.c","net/mptcp/protocol.h","net/mptcp/subflow.c"],"versions":[{"version":"5.12","status":"affected"},{"version":"0","lessThan":"5.12","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.169","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.1.169"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"},{"url":"https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"},{"url":"https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"},{"url":"https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"},{"url":"https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"},{"url":"https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"},{"url":"https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"}],"title":"mptcp: fix slab-use-after-free in __inet_lookup_established","x_generator":{"engine":"bippy-1.2.0"}}}}