Linux Kernel MPTCP Race Condition Vulnerability in Work Scheduling Function

A use-after-free vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the 'mptcp_schedule_work()' function. This vulnerability arises from a race condition where the function schedules a work item and then increments the reference count of the associated socket. However, the work scheduling can complete before the reference count is properly managed, leading to a use-after-free scenario. The issue has been addressed in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the 'mptcp_schedule_work()' function in a context where the work scheduling is performed, followed by an immediate execution of the 'mptcp_worker()' function. This can be achieved by manipulating the timing of these function calls, such as through the use of a high-frequency timer or by scheduling the work on a separate CPU core.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.