CVE-2022-49669

HIGH 7.8

mptcp: fix race on unaccepted mptcp sockets

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race on unaccepted mptcp sockets When the listener socket owning the relevant request is closed, it frees the unaccepted subflows and that causes later deletion of the paired MPTCP sockets. The mptcp socket's worker can run in the time interval between such delete operations. When that happens, any access to msk->first will cause an UaF access, as the subflow cleanup did not cleared such field in the mptcp socket. Address the issue explicitly traversing the listener socket accept queue at close time and performing the needed cleanup on the pending msk. Note that the locking is a bit tricky, as we need to acquire the msk socket lock, while still owning the subflow socket one.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Feb 26, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new high vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

86e39e04482b0aadf3ee3ed5fcf2d63816559d36 < a8a3e95c74e48c2c9b07b81fafda9122993f2e12 86e39e04482b0aadf3ee3ed5fcf2d63816559d36 < 6aeed9045071f2252ff4e98fc13d1e304f33e5b0

Linux / Linux

5.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/a8a3e95c74e48c2c9b07b81fafda9122993f2e12 git.kernel.org: https://git.kernel.org/stable/c/6aeed9045071f2252ff4e98fc13d1e304f33e5b0