CVE-2026-31669

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix slab-use-after-free in __inet_lookup_established<br /> <br /> The ehash table lookups are lockless and rely on<br /> SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability<br /> during RCU read-side critical sections. Both tcp_prot and<br /> tcpv6_prot have their slab caches created with this flag<br /> via proto_register().<br /> <br /> However, MPTCP&amp;#39;s mptcp_subflow_init() copies tcpv6_prot into<br /> tcpv6_prot_override during inet_init() (fs_initcall, level 5),<br /> before inet6_init() (module_init/device_initcall, level 6) has<br /> called proto_register(&amp;tcpv6_prot). At that point,<br /> tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab<br /> remains NULL permanently.<br /> <br /> This causes MPTCP v6 subflow child sockets to be allocated via<br /> kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab<br /> cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so<br /> when these sockets are freed without SOCK_RCU_FREE (which is<br /> cleared for child sockets by design), the memory can be<br /> immediately reused. Concurrent ehash lookups under<br /> rcu_read_lock can then access freed memory, triggering a<br /> slab-use-after-free in __inet_lookup_established.<br /> <br /> Fix this by splitting the IPv6-specific initialization out of<br /> mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called<br /> from mptcp_proto_v6_init() before protocol registration. This<br /> ensures tcpv6_prot_override.slab correctly inherits the<br /> SLAB_TYPESAFE_BY_RCU slab cache.