CVE-2024-35840 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option()
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability CVE-2024-35840 resides within the Linux kernel's Multipath TCP implementation, specifically affecting the mptcp subsystem that enables concurrent use of multiple network paths for a single TCP connection. This flaw manifests in the subflow_finish_connect() function where four critical fields backup, join_id, thmac, and none are utilized without proper initialization or validation. The issue stems from the fact that these fields may contain residual data or garbage values when the function executes, creating potential security risks that could be exploited by malicious actors.
The technical root cause of this vulnerability lies in the improper handling of MPTCP option parsing within the mptcp_parse_option() function. When processing incoming MPTCP packets, the system fails to ensure that the OPTION_MPTCP_MPJ_SYNACK flag is properly set before these fields are accessed in subflow_finish_connect(). This creates a classic case of uninitialized memory access where the kernel attempts to use data that has not been explicitly initialized, potentially leading to unpredictable behavior and security implications. The vulnerability represents a weakness in the kernel's memory management and validation processes, specifically within the MPTCP protocol implementation that handles multipath connections.
The operational impact of this vulnerability extends beyond simple functional instability to potentially enable sophisticated attack vectors within network environments. An attacker could exploit this weakness to manipulate MPTCP connection establishment processes, potentially leading to connection hijacking, data corruption, or unauthorized access to network resources. The vulnerability affects systems running Linux kernels with MPTCP support, particularly those handling multipath TCP connections where multiple network paths are utilized simultaneously. This could be especially problematic in enterprise environments where high availability and redundant network connections are common, as the exploitation could disrupt critical network services or provide attackers with covert channels for data exfiltration.
Mitigation strategies for this vulnerability should focus on applying the latest kernel patches that properly initialize the affected fields before use, ensuring that OPTION_MPTCP_MPJ_SYNACK is correctly set during option parsing. System administrators should prioritize updating their Linux kernel versions to include the fix, particularly in environments where MPTCP functionality is actively used. Additionally, network monitoring should be enhanced to detect anomalous MPTCP connection behaviors that might indicate exploitation attempts. The vulnerability aligns with CWE-457: Use of Uninitialized Variable, and could potentially map to ATT&CK techniques involving privilege escalation through kernel exploitation or network protocol manipulation. Organizations should implement comprehensive patch management procedures to ensure all systems running Linux kernels with MPTCP support receive timely updates to address this security gap and maintain network integrity.