CVE-2026-23321
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/03/2026
Last modified:
23/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mptcp: pm: in-kernel: always mark signal+subflow endp as used<br />
<br />
Syzkaller managed to find a combination of actions that was generating<br />
this warning:<br />
<br />
msk->pm.local_addr_used == 0<br />
WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961<br />
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961<br />
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961<br />
Modules linked in:<br />
CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)<br />
Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014<br />
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]<br />
RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]<br />
RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210<br />
Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a<br />
RSP: 0018:ffffc90001663880 EFLAGS: 00010293<br />
RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br />
RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff<br />
R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640<br />
R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650<br />
FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0<br />
Call Trace:<br />
<br />
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115<br />
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]<br />
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210<br />
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550<br />
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]<br />
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344<br />
netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894<br />
sock_sendmsg_nosec net/socket.c:727 [inline]<br />
__sock_sendmsg+0xc9/0xf0 net/socket.c:742<br />
____sys_sendmsg+0x272/0x3b0 net/socket.c:2592<br />
___sys_sendmsg+0x2de/0x320 net/socket.c:2646<br />
__sys_sendmsg net/socket.c:2678 [inline]<br />
__do_sys_sendmsg net/socket.c:2683 [inline]<br />
__se_sys_sendmsg net/socket.c:2681 [inline]<br />
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7f66346f826d<br />
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br />
RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d<br />
RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007<br />
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8<br />
R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770<br />
<br />
<br />
The actions that caused that seem to be:<br />
<br />
- Set the MPTCP subflows limit to 0<br />
- Create an MPTCP endpoint with both the &#39;signal&#39; and &#39;subflow&#39; flags<br />
- Create a new MPTCP connection from a different address: an ADD_ADDR<br />
linked to the MPTCP endpoint will be sent (&#39;signal&#39; flag), but no<br />
subflows is initiated (&#39;subflow&#39; flag)<br />
- Remove the MPTCP endpoint<br />
<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.106 (including) | 6.1.167 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.46 (including) | 6.6.130 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.10.5 (including) | 6.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.1 (including) | 6.12.78 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06
- https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8
- https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb
- https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290
- https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df
- https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7