CVE-2026-23169
Published: 14 February 2026
Summary
CVE-2026-23169 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the kernel race condition flaw through application of upstream patches, comprehensively eliminating the vulnerability.
Minimizes exposure to the MPTCP race condition by restricting or disabling unnecessary MPTCP functionality in the kernel.
Enables scanning for the specific kernel CVE-2026-23169 vulnerability and subsequent remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition enabling memory corruption and privilege escalation from low-privileged user context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be…
more
called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Deeper analysisAI
CVE-2026-23169 is a race condition vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the mptcp_pm_nl_flush_addrs_doit() function. The issue arises because list_splice_init() is used, which is not RCU-ready, leading to crashes in related functions such as mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup(). list_splice_init_rcu() cannot be employed as an alternative due to the function holding the pernet->lock spinlock. The vulnerability was reported by syzbot and Eulgyu Kim, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation may result in high-impact confidentiality, integrity, and availability violations, manifesting as kernel crashes or potential memory corruption that could enable privilege escalation or denial of service.
Mitigation involves applying the upstream kernel patches provided in the stable repository, including commits 1f1b9523527df02685dde603f20ff6e603d8e4a1, 338d40bab283da2639780ee3e458fb61f1567d8c, 455e882192c9833f176f3fbbbb2f036b6c5bf555, 51223bdd0f60b06cfc7f25885c4d4be917adba94, and 7896dbe990d56d5bb8097863b2645355633665eb. Eulgyu Kim provided a reproducer and assisted in testing these fixes.
Details
- CWE(s)