Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Linux kernel MPTCP slab use-after-free in __inet_lookup_established

IdentifiersCVE-2026-31669CWE-416· Use After Free

CVE-2026-31669 is a Linux kernel memory-safety vulnerability in MPTCP affecting IPv6 subflow child socket handling. The bug arises because mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init(), before inet6_init() has registered tcpv6_prot via proto_register(). At that point tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. As a result, MPTCP IPv6 subflow child sockets are allocated from the generic kmalloc-4k cache instead of the TCPv6 protocol slab cache. Linux ehash established-socket lookups in __inet_lookup_established are lockless and depend on socket allocations coming from a SLAB_TYPESAFE_BY_RCU slab to preserve object memory stability during RCU read-side critical sections. Because kmalloc-4k does not provide SLAB_TYPESAFE_BY_RCU, and child sockets are freed without SOCK_RCU_FREE by design, concurrent ehash lookups under rcu_read_lock can dereference memory that has already been freed and potentially reused, leading to a slab use-after-free in __inet_lookup_established. The fix splits IPv6-specific setup into mptcp_subflow_v6_init(), invoked from mptcp_proto_v6_init() before protocol registration, ensuring tcpv6_prot_override.slab inherits the correct SLAB_TYPESAFE_BY_RCU-backed slab cache.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause concurrent lockless socket-table lookups to access freed and potentially reallocated socket memory in kernel context. The primary impact is kernel memory corruption and system instability, including crashes or denial of service. Because the flaw is a kernel use-after-free on network-reachable code paths and the CNA/NVD score indicates high confidentiality, integrity, and availability impact, arbitrary code execution in kernel context or other severe compromise may be possible, although the provided content does not include a public exploit primitive or proof of code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling MPTCP, especially IPv6 MPTCP subflows, or disabling IPv6 where operationally feasible. Limit untrusted network reachability to affected systems and services that exercise MPTCP socket handling. These are compensating controls only; the authoritative mitigation is to install a fixed kernel.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the upstream fix for CVE-2026-31669. The remediation is to move the IPv6-specific MPTCP subflow initialization out of mptcp_subflow_init() into mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration, so that tcpv6_prot_override.slab is initialized from the properly registered tcpv6_prot slab cache with SLAB_TYPESAFE_BY_RCU. Deploy vendor kernel updates from affected distributions, such as the referenced SUSE security advisories, and reboot into the patched kernel after installation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system
Rocky LinuxKerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

9 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31669
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31669
MITRE CWE · CWE-416
Use After Free
Patch
git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62
Patch
git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597
Patch
git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1
Patch
git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff
Patch
git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7
Patch
git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
Patch
git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc