CRITICAL
net/tcp SynRecv Race
CVE-2026-43198
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.4HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.
02KernelScan AI Analysis
Risk summary
A race condition in TCP IPv6 socket creation allows remote attackers to trigger memory corruption during high connection load. The vulnerability affects systems accepting IPv6-mapped IPv4 TCP connections and can lead to kernel crashes or potential code execution.
Vulnerability analysis
The race occurs in tcp_v6_syn_recv_sock() where IPv6-specific socket initialization happens after the socket becomes visible in the TCP ehash table via tcp_v4_syn_recv_sock(). During the window between ehash insertion and IPv6 initialization, other CPUs can access the socket while newinet->pinet6 still points to the listener's ipv6_pinfo structure instead of the child's copy. The fix moves initialization into tcp_v6_mapped_child_init() and calls it before ehash insertion, eliminating the race window. This is network-reachable but requires precise timing and high connection load to exploit.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | fe89b2f05b85 |
| 6.19 | 6.19.6 | 7178e2a80274 |
| mainline | 7.0 | 858d2a4f67ff |