Linux Kernel MPTCP slab-UAF in __inet_lookup_established
CVE-2026-31669 Published on April 24, 2026
mptcp: fix slab-use-after-free in __inet_lookup_established
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
Products Associated with CVE-2026-31669
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47 is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below fb1f54b7d16f393b8b65d328410f78b4beea8fcc is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below 3fd6547f5b8ac99687be6d937a0321efda760597 is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below eb9c6aeb512f877cf397deb1e4526f646c70e4a7 is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below 15fa9ead4d5e6b6b9c794e84144146c917f2cb62 is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below b313e9037d98c13938740e5ebda7852929366dff is affected.
- Version b19bc2945b40b9fd38e835700907ffe8534ef0de and below 9b55b253907e7431210483519c5ad711a37dafa1 is affected.
- Version 5.12 is affected.
- Before 5.12 is unaffected.
- Version 5.15.203, <= 5.15.* is unaffected.
- Version 6.1.169, <= 6.1.* is unaffected.
- Version 6.6.135, <= 6.6.* is unaffected.
- Version 6.12.82, <= 6.12.* is unaffected.
- Version 6.18.23, <= 6.18.* is unaffected.
- Version 6.19.13, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.