CVE-2026-31669
Published: 24 April 2026
Summary
CVE-2026-31669 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the slab-use-after-free in MPTCP IPv6 subflows by requiring timely patching of the affected Linux kernel to inherit SLAB_TYPESAFE_BY_RCU properly.
Memory protection techniques like KASLR and supervisor-mode execution prevention hinder exploitation of the use-after-free during concurrent lockless ehash lookups.
Vulnerability scanning identifies the MPTCP kernel flaw in CVE-2026-31669, enabling prioritization of remediation before remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated UAF in Linux kernel MPTCP/IPv6 stack enables network-triggered code execution or DoS against systems accepting TCP connections, directly mapping to exploitation of public-facing apps or remote services.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have…
more
their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.
Deeper analysisAI
CVE-2026-31669 is a slab-use-after-free vulnerability in the Linux kernel's MPTCP (Multipath TCP) implementation, specifically affecting IPv6 subflow child sockets during ehash table lookups in __inet_lookup_established. The issue arises because MPTCP's mptcp_subflow_init() copies the tcpv6_prot structure before inet6_init() registers it, leaving tcpv6_prot_override.slab as NULL. This causes subflow sockets to allocate from the kmalloc-4k cache, which lacks SLAB_TYPESAFE_BY_RCU, instead of the proper TCPv6 slab cache. Without SOCK_RCU_FREE protection, freed socket memory can be immediately reused, allowing concurrent lockless lookups under rcu_read_lock to access invalid memory.
Network-adjacent or remote attackers require no privileges or user interaction to exploit this vulnerability, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering concurrent ehash lookups on MPTCP IPv6 subflows, leading to use-after-free access that could result in denial of service, data corruption, or potential code execution depending on memory reuse patterns.
Mitigation requires updating to a patched Linux kernel version incorporating the provided stable commit fixes, such as https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62 and related commits (3fd6547f5b8ac99687be6d937a0321efda760597, 9b55b253907e7431210483519c5ad711a37dafa1, b313e9037d98c13938740e5ebda7852929366dff, eb9c6aeb512f877cf397deb1e4526f646c70e4a7). These patches refactor IPv6-specific initialization into mptcp_subflow_v6_init(), called before protocol registration to ensure proper SLAB_TYPESAFE_BY_RCU inheritance.
Details
- CWE(s)