CVE-2026-23169 Overview
A race condition vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) subsystem within the mptcp_pm_nl_flush_addrs_doit() function. The vulnerability was reported by syzbot and Eulgyu Kim after observing crashes in mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup() functions.
The root cause of the issue stems from improper use of list_splice_init() in the path manager netlink handler, which is not RCU (Read-Copy-Update) ready. The proper RCU-safe function list_splice_init_rcu() cannot be called while holding the pernet->lock spinlock, creating a race condition that can lead to kernel crashes and system instability.
Critical Impact
Successful exploitation of this race condition can cause kernel crashes, leading to denial of service conditions on affected Linux systems utilizing MPTCP functionality.
Affected Products
- Linux kernel with MPTCP (Multipath TCP) enabled
- Systems utilizing MPTCP path manager netlink operations
- Multiple Linux kernel versions (see kernel commit references for specific versions)
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23169 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-23169
Vulnerability Analysis
This race condition vulnerability occurs in the MPTCP path manager's netlink address flushing operation. The MPTCP subsystem in Linux implements multipath capabilities allowing TCP connections to use multiple network paths simultaneously. The path manager component handles address announcements and management through netlink interfaces.
The vulnerable code path involves concurrent access to shared data structures without proper RCU synchronization. When mptcp_pm_nl_flush_addrs_doit() is invoked, it uses list_splice_init() to manipulate linked lists while holding a spinlock. However, other code paths such as mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup() may access these lists using RCU read-side protections, expecting RCU-safe list modifications.
The fundamental issue is that list_splice_init() performs non-atomic pointer updates that can corrupt list traversals happening concurrently under RCU protection. The proper fix requires using list_splice_init_rcu(), but this function requires a synchronization callback and cannot be used while holding a spinlock, necessitating a restructuring of the locking strategy.
Root Cause
The vulnerability's root cause is the improper synchronization mechanism used in mptcp_pm_nl_flush_addrs_doit(). The function uses list_splice_init() which performs non-RCU-safe list manipulations while concurrent readers may be traversing the list under RCU protection. This creates a Time-of-Check Time-of-Use (TOCTOU) scenario where:
- A reader begins traversing the list under RCU read-side protection
- The flush operation modifies list pointers non-atomically
- The reader encounters corrupted pointers, leading to crashes
The constraint that list_splice_init_rcu() cannot be called while holding pernet->lock spinlock compounds the issue, requiring architectural changes to the locking mechanism.
Attack Vector
The attack vector for this vulnerability is local, requiring the ability to trigger MPTCP path manager netlink operations on the affected system. An attacker with sufficient privileges to interact with the MPTCP netlink interface could:
- Initiate concurrent MPTCP connections that trigger address lookups via mptcp_pm_nl_get_local_id() or mptcp_pm_nl_is_backup()
- Simultaneously invoke the address flush operation through netlink
- Race the operations to trigger the vulnerable code path
- Cause kernel crashes through corrupted list traversals
This vulnerability can be triggered through legitimate MPTCP operations occurring concurrently with administrative flush commands, making it exploitable in high-traffic MPTCP environments.
Detection Methods for CVE-2026-23169
Indicators of Compromise
- Kernel panic or oops messages referencing mptcp_pm_nl_get_local_id() or mptcp_pm_nl_is_backup() functions
- System instability or unexpected reboots on systems with active MPTCP connections
- Crash dumps indicating list corruption in MPTCP path manager subsystem
- Kernel log entries showing RCU warnings or list validation failures in MPTCP code paths
Detection Strategies
- Monitor kernel logs for MPTCP-related crash signatures and RCU stall warnings
- Implement kernel crash dump analysis to identify MPTCP path manager corruption patterns
- Deploy kernel livepatching detection to identify unpatched systems in production environments
- Use runtime kernel integrity monitoring to detect list corruption events
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture evidence of exploitation attempts
- Configure system monitoring for unexpected MPTCP-related kernel panics
- Monitor MPTCP netlink activity for unusual patterns of flush operations
- Implement automated alerting for kernel oops events containing MPTCP stack traces
How to Mitigate CVE-2026-23169
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for the race condition
- Consider temporarily disabling MPTCP on critical systems if patching is not immediately possible
- Monitor system stability for signs of exploitation until patches are applied
- Review and limit access to MPTCP netlink interfaces where possible
Patch Information
Multiple Linux kernel commits have been released to address this vulnerability. The patches restructure the locking mechanism in mptcp_pm_nl_flush_addrs_doit() to properly handle RCU synchronization requirements.
The following kernel commits contain the fix:
- Commit 1f1b9523527d
- Commit 338d40bab283
- Commit 455e882192c9
- Commit 51223bdd0f60
- Commit 7896dbe990d5
- Commit e2a9eeb69f7d
System administrators should update to the latest stable kernel version for their distribution that includes these fixes.
Workarounds
- Disable MPTCP functionality by setting net.mptcp.enabled=0 via sysctl if not required for operations
- Restrict access to MPTCP netlink interfaces using network namespaces or capability restrictions
- Implement rate limiting on MPTCP path manager operations to reduce race condition window
- Consider using kernel live patching solutions if available for your distribution
# Disable MPTCP temporarily as a workaround
sysctl -w net.mptcp.enabled=0
# Make the change persistent across reboots
echo "net.mptcp.enabled=0" >> /etc/sysctl.d/99-disable-mptcp.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
