Linux Kernel MPTCP Race Condition Vulnerability Leading to NULL Pointer Dereference

A race condition vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically in versions prior to 6.5.0. This vulnerability arises from a timing issue between the disconnect (or shutdown) process and the acceptance of new connections. The problem was introduced by a previous commit that, while addressing a potential divide-by-zero error, inadvertently created a race condition. This occurs because the MPTCP acceptance function can bypass necessary locks, allowing an accepted socket to be processed just before the system completes cleaning up the listener socket. This mismanagement can lead to a NULL pointer dereference error, causing a crash.

Impact

Exploitation of this vulnerability leads to a kernel panic due to a NULL pointer dereference, causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a scenario where a socket is accepted while the listener socket is in the process of being disconnected. This can be done by initiating a disconnection and then quickly accepting a new connection, which will trigger the race condition.

Remediation

Users can upgrade to Linux kernel version 6.5.0 or later, where this vulnerability has been fixed.