PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31669 Linux CVE debrief

A slab-use-after-free vulnerability was found in the Linux kernel's __inet_lookup_established function. This issue arises from MPTCP's mptcp_subflow_init() function copying tcpv6_prot into tcpv6_prot_override before inet6_init() has called proto_register(&tcpv6_prot), leading to MPTCP v6 subflow child sockets being allocated via kmalloc instead of the TCPv6 slab cache. This causes a slab-use-after-free when concurrent ehash lookups access freed memory under rcu_read_lock.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-07-14
Advisory published
2026-04-24
Advisory updated
2026-07-14

Who should care

Linux kernel users and administrators should be aware of this vulnerability, as it can lead to potential crashes or code execution. Users of Linux kernel versions 5.12.1 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 are affected.

Technical summary

The vulnerability is caused by the incorrect initialization of the tcpv6_prot_override slab cache in MPTCP's mptcp_subflow_init() function. This function is called before inet6_init(), which initializes the tcpv6_prot slab cache with the SLAB_TYPESAFE_BY_RCU flag. As a result, MPTCP v6 subflow child sockets are allocated via kmalloc, which lacks SLAB_TYPESAFE_BY_RCU. This leads to a slab-use-after-free vulnerability in __inet_lookup_established when concurrent ehash lookups access freed memory under rcu_read_lock.

Defensive priority

High

Recommended defensive actions

  • Apply the official patches provided by the Linux kernel maintainers.
  • Update Linux kernel to a version that includes the fix, such as 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, or 6.19.14.
  • Use a supported Linux kernel version and keep it up-to-date.
  • Monitor system logs for potential crashes or errors related to the Linux kernel.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-04-24T15:16:46.663Z and was last modified on 2026-07-14T13:18:47.573Z. The NVD entry is currently Modified. This slab-use-after-free vulnerability in the Linux kernel's __inet_lookup_established function arises from MPTCP's mptcp_subflow_init() function copying tcpv6_prot into tcpv6_prot_override before inet6_init() has called proto_register(&tcpv6_prot). As a result, MPTCP v6 subflow child sockets are allocated via kmalloc instead of the TCPv6 slab cache, leading to a slab-use-after-free when concurrent ehash lookups access freed memory under rcu_read_lock. Evidence is limited to public CVE and NVD records.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-24T15:16:46.663Z and has not been modified since then. The NVD entry is currently Modified.