{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23321", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:15.125Z", "dateUpdated": "2026-03-25T10:27:15.125Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:15.125Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n msk->pm.local_addr_used == 0\n WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n Modules linked in:\n CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n Call Trace:\n <TASK>\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f66346f826d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n </TASK>\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n linked to the MPTCP endpoint will be sent ('signal' flag), but no\n subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/pm_kernel.c"], "versions": [{"version": "d93cf38fad9f66397093432b8917971a92ee0146", "lessThan": "c5c877e140e5f46023a74a51e577ce5edd0a4be7", "status": "affected", "versionType": "git"}, {"version": "64815ba15880ce5f99df075fa4104fef170ac7e5", "lessThan": "05799c2f1ca5eb13d65764dda688d02021b65e06", "status": "affected", "versionType": "git"}, {"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3", "lessThan": "67f34ab318807989b57dfdb0f79e2d4e57018290", "status": "affected", "versionType": "git"}, {"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3", "lessThan": "a64aa7db39392add5be09dffaedbf1f0ce5554df", "status": "affected", "versionType": "git"}, {"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3", "lessThan": "198824ccfa64ffebd918bf99c939bd8170a4a4d8", "status": "affected", "versionType": "git"}, {"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3", "lessThan": "579a752464a64cb5f9139102f0e6b90a1f595ceb", "status": "affected", "versionType": "git"}, {"version": "0f21cc29bc13e86512621727a4388c8a7ad2716b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/pm_kernel.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.106", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.46", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7"}, {"url": "https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06"}, {"url": "https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290"}, {"url": "https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df"}, {"url": "https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8"}, {"url": "https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb"}], "title": "mptcp: pm: in-kernel: always mark signal+subflow endp as used", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n msk->pm.local_addr_used == 0\n WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n Modules linked in:\n CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n Call Trace:\n <TASK>\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f66346f826d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n </TASK>\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n linked to the MPTCP endpoint will be sent ('signal' flag), but no\n subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---"}], "id": "CVE-2026-23321", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:28.900", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mptcp: pm: in-kernel: always mark signal+subflow endp as used", "id": "2451159", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451159"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. A local user can exploit this vulnerability by performing a specific sequence of operations involving MPTCP subflows and endpoints. This includes setting the MPTCP subflow limit to zero, creating an MPTCP endpoint with both 'signal' and 'subflow' flags, establishing a new MPTCP connection, and then removing the MPTCP endpoint. This sequence of actions can trigger a kernel warning, potentially leading to system instability or a denial of service."], "name": "CVE-2026-23321", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23321\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23321\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23321-6059@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T13:07:08.187657+00:00", "value": {"mitigation_remediation": ["Apply a recent kernel release that incorporates the MPTCP policy manager fix", "If an update is not available, reconfigure the kernel to disable Multipath TCP or unload the relevant modules to eliminate the vulnerable code path"], "summary": {"action": "Patch immediately", "impact": "Kernel crash causing denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Linux kernel builds that include the unpatched MPTCP policy manager. The reported test used kernel 6.19.0-08368, so any kernel earlier than the one incorporating the fix that accepts MPTCP connections is likely susceptible. Hosts that have MPTCP enabled and receive control packets from network peers are at risk, while systems with MPTCP disabled are unaffected.", "description_and_impact": "A flaw in the Linux kernel\u2019s Multipath TCP policy manager triggers an assertion failure when an endpoint bearing both signal and subflow flags is improperly marked as used during cleanup. The resulting stack trace shows warning messages and indicates that the kernel may spin into a panic, leading to a full system reboot. The description implies that the bug can cause a crash, though a crash is not explicitly stated.", "risk_and_exploitability": "No CVSS or EPSS score is provided and the issue is not listed in CISA\u2019s KEV catalog. The fault can be triggered by sending crafted MPTCP control packets with a specific sequence of flags. Based on the description, it is inferred that a remote user with network access to a vulnerable system could exploit the flaw to crash the kernel, resulting in a denial\u2011of\u2011service attack. The attack does not require local privilege escalation, making it potentially realistic against exposed services."}}}}, "created": "2026-03-25T21:27:39.927251+00:00", "title": "Linux kernel Multipath TCP policy manager flaw causes kernel crash on endpoint removal", "updated": "2026-03-25T21:27:39.927278+00:00", "vendors": [], "weaknesses": ["CWE-535"]}