Description
In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()

syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
and/or mptcp_pm_nl_is_backup()

Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
which is not RCU ready.

list_splice_init_rcu() can not be called here while holding pernet->lock
spinlock.

Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Race condition leading to kernel crash and denial of service
Action: Apply patch
AI Analysis

Impact

A race condition was discovered in the Linux kernel's MPTCP subsystem when the function mptcp_pm_nl_flush_addrs_doit performs a list splice without the required RCU protection. This flaw allows concurrent access to a shared list, potentially corrupting memory and causing the kernel to crash. The resulting kernel panic effectively denies service on the affected host.

Affected Systems

The vulnerability exists in Linux kernel releases 6.19 release candidates (rc1 through rc7). Any system running one of these kernels without the upstream patch to mptcp_pm_nl_flush_addrs_doit is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity, but the EPSS of less than 1% indicates that exploitation attempts are currently rare. The risk is not reflected in the CISA KEV catalog. Based on the description, it is inferred that exploitation would likely require interaction with the MPTCP subsystem, possibly through crafted network traffic or local manipulation of MPTCP sockets, leading to a kernel panic and system reboot.

Generated by OpenCVE AI on April 16, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the fix (e.g., the commit that resolves the race condition).
  • If a kernel upgrade cannot be performed, disable MPTCP by setting the sysctl net.mptcp.enabled to 0 or recompiling the kernel without MPTCP support.
  • As a temporary fix, apply the upstream patch locally to your kernel source and rebuild the kernel to incorporate the resolution.

Generated by OpenCVE AI on April 16, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Title mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:08.297Z

Reserved: 2026-01-13T15:37:45.982Z

Link: CVE-2026-23169

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T16:15:57.147

Modified: 2026-04-03T14:16:24.997

Link: CVE-2026-23169

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23169 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses