282 matches found
kernel: mptcp: fix slab-use-after-free in __inet_lookup_established
A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. Due to incorrect memory allocation for IPv6 subflow child sockets, a use-after-free vulnerability exists. A remote attacker could exploit this by triggering concurrent lookups in the kernel's hash table, potentially leadin...
kernel: mptcp: fix slab-use-after-free in __inet_lookup_established
A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. Due to incorrect memory allocation for IPv6 subflow child sockets, a use-after-free vulnerability exists. A remote attacker could exploit this by triggering concurrent lookups in the kernel's hash table, potentially leadin...
OESA-2026-2581 kernel security update
The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached shadow SRAM information, from concurrent modifications. Bot...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerabilities have been resolved: mptcp: Use skdstget and dstdevrcu in mptcpactiveenable. mptcpactiveenable is called from subflowfinishconnect, which is icsk-icskafops-skrxdstset. It isn’t always under a RCU context. Using skdstgetsk.dev could trigger a...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: mptcp: The “kern” flag was removed from fallback sockets. The mptcp ULP extension relies on ensuring that sk-sksockkern is set correctly. This prevents the call to setsockoptfd, IPPROTOTCP, TCPULP, "mptcp", 6 from working for pla...
Astra Linux – Vulnerability found in Linux 6.1, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: mptcp: Race condition in the creation of subflows in mptcprcvspaceadjust. Additional active subflows—i.e., those created by the kernel’s internal processes—are included in the subflow list before the 3whs process starts. If a rac...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: mptcp: fixed a NULL pointer in canacceptnewsubflow. When testing the valkey benchmark tool with MPTCP, the kernel panics in mptcpcanacceptnewsubflow because subflowreq-msk is NULL. Call trace: mptcpcanacceptnewsubflow...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: mptcp: Race conditions between subflow failures and additional subflow creations. We have race conditions similar to those addressed by the previous patch, between subflow failures and additional subflow creations. However, these...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint, the netlink PM traverses all local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP correspondin...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: mptcp: Handle DDS corruption consistently. The buggy peer implementation may send corrupted DSS options, consistently causing several warnings in the data path. Use DEBUGNET assertions to avoid errors on some builds and to handle...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: mptcp: Prevent BPF from accessing lowat from a subflow socket. Alexei reported the following error: WARNING: CPU: 32, PID: 3276; in net/mptcp/subflow.c:1430; function subflowdataready+0x147/0x1c0. Linked modules: dummy,...
Astra Linux – Vulnerability found in Linux 5.15, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: mptcp: fixed the issue of re-injecting stale data from stale subflows. When the MPTCP Process Manager detects that a subflow is stale, the packet scheduler must re-inject all the unacknowledged data at the mptcp level. To avoid...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect After the committed code below, if the MPC subflow is already in the TCPCLOSE status or has fallen back to TCP at the mptcpdisconnect time, mptcpdofastclose skips setting the sendfastclos...
CVE-2026-31669
A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. Due to incorrect memory allocation for IPv6 subflow child sockets, a use-after-free vulnerability exists. A remote attacker could exploit this by triggering concurrent lookups in the kernel's hash table, potentially leadin...
CVE-2026-31669
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in inetlookupestablished The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot ha...
DEBIAN-CVE-2026-31669
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in inetlookupestablished The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot ha...
EUVD-2026-25562
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in inetlookupestablished The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot ha...
CVE-2026-31669
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in inetlookupestablished The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot ha...
PT-2026-35021
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A slab-use-after-free issue exists in the inet lookup established function. The problem occurs because MPTCP v6 subflow child sockets are allocated via kmalloc instead of the TCPv6 slab...
Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010947)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010947 advisory. In the Linux kernel, the following vulnerability has been resolved: mptcp: use proper req destructor for IPv6 Before, only the destructor from TCP request sock in IP...