PatchSiren cyber security CVE debrief
CVE-2026-31669 Linux CVE debrief
A slab-use-after-free vulnerability was found in the Linux kernel's __inet_lookup_established function. This issue arises from MPTCP's mptcp_subflow_init() function copying tcpv6_prot into tcpv6_prot_override before inet6_init() has called proto_register(&tcpv6_prot), leading to MPTCP v6 subflow child sockets being allocated via kmalloc instead of the TCPv6 slab cache. This causes a slab-use-after-free when concurrent ehash lookups access freed memory under rcu_read_lock.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-07-14
Who should care
Linux kernel users and administrators should be aware of this vulnerability, as it can lead to potential crashes or code execution. Users of Linux kernel versions 5.12.1 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 are affected.
Technical summary
The vulnerability is caused by the incorrect initialization of the tcpv6_prot_override slab cache in MPTCP's mptcp_subflow_init() function. This function is called before inet6_init(), which initializes the tcpv6_prot slab cache with the SLAB_TYPESAFE_BY_RCU flag. As a result, MPTCP v6 subflow child sockets are allocated via kmalloc, which lacks SLAB_TYPESAFE_BY_RCU. This leads to a slab-use-after-free vulnerability in __inet_lookup_established when concurrent ehash lookups access freed memory under rcu_read_lock.
Defensive priority
High
Recommended defensive actions
- Apply the official patches provided by the Linux kernel maintainers.
- Update Linux kernel to a version that includes the fix, such as 5.15.204, 6.1.170, 6.6.136, 6.12.83, 6.18.24, or 6.19.14.
- Use a supported Linux kernel version and keep it up-to-date.
- Monitor system logs for potential crashes or errors related to the Linux kernel.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-04-24T15:16:46.663Z and was last modified on 2026-07-14T13:18:47.573Z. The NVD entry is currently Modified. This slab-use-after-free vulnerability in the Linux kernel's __inet_lookup_established function arises from MPTCP's mptcp_subflow_init() function copying tcpv6_prot into tcpv6_prot_override before inet6_init() has called proto_register(&tcpv6_prot). As a result, MPTCP v6 subflow child sockets are allocated via kmalloc instead of the TCPv6 slab cache, leading to a slab-use-after-free when concurrent ehash lookups access freed memory under rcu_read_lock. Evidence is limited to public CVE and NVD records.
Official resources
-
CVE-2026-31669 CVE record
CVE.org
-
CVE-2026-31669 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-24T15:16:46.663Z and has not been modified since then. The NVD entry is currently Modified.