CVE-2026-23169

Summary

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()

syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()

Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.

list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.

Many thanks to Eulgyu Kim for providing a repro and testing our patches.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < 338d40bab283da2639780ee3e458fb61f1567d8caffected
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < 7896dbe990d56d5bb8097863b2645355633665ebaffected
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < 455e882192c9833f176f3fbbbb2f036b6c5bf555affected
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < 51223bdd0f60b06cfc7f25885c4d4be917adba94affected
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < 1f1b9523527df02685dde603f20ff6e603d8e4a1affected
LinuxLinux141694df6573b49aa4143c92556544b4b0bbda72 < e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1daffected
LinuxLinux5.11affected
LinuxLinux0 < 5.11unaffected
LinuxLinux5.15.201 <= 5.15.*unaffected
LinuxLinux6.1.164 <= 6.1.*unaffected
LinuxLinux6.6.125 <= 6.6.*unaffected
LinuxLinux6.12.72 <= 6.12.*unaffected
LinuxLinux6.18.9 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References