Linux Kernel MPTCP Unaccepted Socket Use-After-Free Vulnerability

Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's implementation of Multipath TCP (MPTCP). This issue arises when a listener socket is closed, freeing unaccepted subflows and leading to the deletion of paired MPTCP sockets. If the MPTCP socket's worker accesses the 'first' field of the MPTCP socket during this interval, it can cause a use-after-free condition, as the subflow cleanup does not clear that field. The vulnerability has been addressed by explicitly traversing the listener socket's accept queue at close time and performing the necessary cleanup on pending MPTCP sockets, although this requires careful management of socket locks.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

3.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

3.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel MPTCP Unaccepted Socket Use-After-Free Vulnerability

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating