{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31669", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.130Z", "datePublished": "2026-04-24T14:45:17.295Z", "dateUpdated": "2026-05-11T22:13:21.124Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:21.124Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP's mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(&tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c", "net/mptcp/protocol.h", "net/mptcp/subflow.c"], "versions": [{"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "fb1f54b7d16f393b8b65d328410f78b4beea8fcc", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "3fd6547f5b8ac99687be6d937a0321efda760597", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "eb9c6aeb512f877cf397deb1e4526f646c70e4a7", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "15fa9ead4d5e6b6b9c794e84144146c917f2cb62", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "b313e9037d98c13938740e5ebda7852929366dff", "status": "affected", "versionType": "git"}, {"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de", "lessThan": "9b55b253907e7431210483519c5ad711a37dafa1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c", "net/mptcp/protocol.h", "net/mptcp/subflow.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"}, {"url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"}, {"url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"}, {"url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"}, {"url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"}, {"url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"}, {"url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"}], "title": "mptcp: fix slab-use-after-free in __inet_lookup_established", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA3D6441-4F2E-41AB-A26D-388B03A5932F", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.12.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*", "matchCriteriaId": "75EB504D-4A83-4C67-9C8D-FD9C6C8EB4CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP's mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(&tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."}], "id": "CVE-2026-31669", "lastModified": "2026-04-27T20:09:25.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:46.663", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: mptcp: fix slab-use-after-free in __inet_lookup_established", "id": "2461503", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461503"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. Due to incorrect memory allocation for IPv6 subflow child sockets, a use-after-free vulnerability exists. A remote attacker could exploit this by triggering concurrent lookups in the kernel's hash table, potentially leading to a denial of service or arbitrary code execution."], "name": "CVE-2026-31669", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31669\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31669\nhttps://lore.kernel.org/linux-cve-announce/2026042406-CVE-2026-31669-0e0d@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,fb1f54b7d16f393b8b65d328410f78b4beea8fcc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,3fd6547f5b8ac99687be6d937a0321efda760597)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,eb9c6aeb512f877cf397deb1e4526f646c70e4a7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,15fa9ead4d5e6b6b9c794e84144146c917f2cb62)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,b313e9037d98c13938740e5ebda7852929366dff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b19bc2945b40b9fd38e835700907ffe8534ef0de,9b55b253907e7431210483519c5ad711a37dafa1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.169,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.135,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:42:23.774205+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that contains the MPTCP slab use\u2011after\u2011free fix", "Reboot the affected machines so that the updated kernel image is actively used", "If the system cannot be patched immediately, consider disabling MPTCP or restricting its use"], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free in the Linux kernel that can lead to memory corruption and potentially arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in Linux kernel releases 5.12 and all 7.0 release candidates up to rc7. Systems that run these kernels with MPTCP enabled and that establish IPv6 subflows are vulnerable. The fix was applied before the stable 7.0 rc7 release, so kernels derived from that branch after the corresponding commit include the remediation.", "description_and_impact": "A fault in Multicast TCP (MPTCP) initialization causes the TCPv6 slab cache pointer to remain null. When IPv6 subflow child sockets are allocated via kmalloc instead of the intended TCPv6 slab cache, the memory is not protected by SLAB_TYPESAFE_BY_RCU. If such sockets are freed while an RCU read\u2011side critical section is in progress, concurrent __inet_lookup_established hash table lookups can access freed memory, resulting in a slab\u2011use\u2011after\u2011free. This memory corruption (CWE\u2011416) can allow an attacker to trigger arbitrary kernel code execution or a denial\u2011of\u2011service condition if the fault occurs in a privileged context.", "risk_and_exploitability": "With a CVSS score of 9.8 it is classified as Critical; the EPSS score of less than 1% indicates a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to trigger concurrent IPv6 subflow operations while a user space process holds an RCU read lock, a scenario that could be achieved by a local or privileged user that can open sockets. The risk is primarily local, but any compromised process could affect the host or connected network services."}}}}, "created": "2026-04-27T19:30:11.872944+00:00", "updated": "2026-04-28T13:45:06.144542+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}