Linux Kernel MPTCP Subflow Data Queueing Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation allows data to be queued on subflows that have already been closed. This issue arises because MPTCP retransmissions can race with the closing of a subflow, leading the packet scheduler to mistakenly attempt to transmit data on a closed socket. The vulnerability affects Linux kernel versions 5.19.0-rc6 and prior.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where the kernel attempts to access memory that has already been freed, potentially causing a crash or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initiating an MPTCP transmission over a subflow, then closing that subflow while the transmission is still in progress. This can be done by manually closing the subflow socket or by allowing the MPTCP connection to be terminated naturally. The race condition will cause the kernel to attempt to transmit data on the closed subflow, leading to the use-after-free vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.