HIGH
mptcp AddressList Race
CVE-2026-23169
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches.
02KernelScan AI Analysis
Risk summary
A race condition in MPTCP's address flushing mechanism can cause kernel crashes when multiple processes concurrently access MPTCP configuration. An attacker with network administration privileges could potentially trigger this race to cause denial of service through kernel crashes. The vulnerability requires local access and elevated privileges, limiting its impact to scenarios where untrusted code runs with network configuration capabilities.
Vulnerability analysis
Root Cause: The original code used list_splice_init() to move the endpoint list from pernet->endp_list to a local free_list while holding a spinlock. This operation is not RCU-safe because list_splice_init() doesn't properly handle RCU readers that might be concurrently accessing the list. RCU readers in mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup() could access freed or corrupted list entries, leading to crashes.
Attack Surface: This vulnerability affects MPTCP (Multipath TCP) path manager functionality accessible through netlink sockets. It requires local access with sufficient privileges to manipulate MPTCP configuration via netlink, typically requiring CAP_NET_ADMIN capability. The race condition occurs during address flushing operations and could be triggered by concurrent netlink operations.
Fix Mechanism: The fix replaces the unsafe list_splice_init() with a manual RCU-safe list manipulation. It copies the list head structure, initializes the original list with INIT_LIST_HEAD_RCU(), releases the spinlock, calls synchronize_rcu() to wait for all RCU readers to complete, then manually adjusts the copied list pointers to make it a proper standalone list before processing it. This ensures RCU readers cannot access the list during the critical transition period.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.201 | 338d40bab283 |
| 6.1 | 6.1.164 | 7896dbe990d5 |
| 6.12 | 6.12.72 | 51223bdd0f60 |
| 6.18 | 6.18.9 | 1f1b9523527d |
| 6.6 | 6.6.125 | 455e882192c9 |
| mainline | 6.19 | e2a9eeb69f7d |