CVE-2024-26708 in Linux
Summary
by MITRE • 04/03/2024
In the Linux kernel, the following vulnerability has been resolved:
mptcp: really cope with fastopen race
Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller.
In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked.
Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability CVE-2024-26708 addresses a critical race condition within the Linux kernel's Multipath TCP implementation that specifically affects the handling of Fast Open connections combined with PM-triggered subflow shutdown operations. This issue was identified through systematic fuzzing by the syzkaller framework, which revealed a timing vulnerability in the kernel's multipath TCP subsystem. The vulnerability manifests when Fast Open functionality interacts with the shutdown of subflows that were initiated through Path Manager triggering, creating a scenario where concurrent operations can lead to inconsistent kernel state management.
The technical flaw stems from an insufficient race condition handling mechanism in the MPTCP implementation where the kernel fails to properly account for all possible state transitions that can occur between the detection of a shutdown condition and the invocation of the subflow_state_change callback function. The original fix attempt was inadequate because it did not consider that the subflow status could undergo additional state changes during the critical window before the callback execution, leading to a potential mismatch between expected and actual kernel state. This particular vulnerability affects the TCP_FIN_WAIT1 state and all directly reachable states that can be transitioned to from this condition, creating multiple pathways for inconsistent behavior during subflow termination.
The operational impact of this vulnerability extends beyond simple connectivity issues as it can potentially lead to kernel memory corruption, system instability, or even privilege escalation depending on the exploitation context. Attackers could leverage this race condition to cause denial of service conditions in systems heavily utilizing multipath TCP connections, particularly in high-performance networking environments where Fast Open and multipath capabilities are actively deployed. The vulnerability is especially concerning in server environments where multipath TCP is used for load balancing across multiple network paths, as it could allow malicious actors to disrupt network services or potentially gain unauthorized access to system resources.
Mitigation strategies should focus on applying the patched kernel version that implements the corrected state copying mechanism for all reachable states from TCP_FIN_WAIT1, ensuring that the subflow state changes are properly synchronized regardless of timing conditions. System administrators should prioritize kernel updates and monitor for any signs of instability in multipath TCP environments, particularly those utilizing Fast Open features. The vulnerability aligns with CWE-362, which addresses race conditions in concurrent programming, and maps to ATT&CK technique T1059.001 for privilege escalation through kernel exploits, though the primary impact remains in system stability and availability rather than direct lateral movement capabilities. Organizations should conduct thorough testing of updated kernels in production environments to ensure compatibility with existing multipath TCP configurations while maintaining network service availability during the remediation process.