CVE-2024-36889 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

mptcp: ensure snd_nxt is properly initialized on connect

Christoph reported a splat hinting at a corrupted snd_una:

WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe <0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Call Trace: <TASK> __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]
mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]
__mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767 process_one_work+0x1e0/0x560 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline]
worker_thread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread.c:388 ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 </TASK>

When fallback to TCP happens early on a client socket, snd_nxt is not yet initialized and any incoming ack will copy such value into snd_una. If the mptcp worker (dumbly) tries mptcp-level re-injection after such ack, that would unconditionally trigger a send buffer cleanup using 'bad' snd_una values.

We could easily disable re-injection for fallback sockets, but such dumb behavior already helped catching a few subtle issues and a very low to zero impact in practice.

Instead address the issue always initializing snd_nxt (and write_seq, for consistency) at connect time.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/17/2025

The vulnerability described in CVE-2024-36889 affects the Linux kernel's Multipath TCP implementation, specifically within the MPTCP protocol handling code. This issue stems from improper initialization of the snd_nxt variable during connection establishment, which leads to corrupted send sequence numbers that can cause kernel panics and system instability. The problem manifests when fallback to standard TCP occurs early in the connection process, where the snd_nxt field remains uninitialized while incoming acknowledgments attempt to copy values into snd_una, resulting in corrupted state information that triggers kernel warnings and potential system crashes.

The technical flaw resides in the MPTCP protocol implementation where the snd_nxt field, which tracks the next sequence number to be sent, is not properly initialized at connection time. This initialization gap becomes critical when the MPTCP worker thread attempts to perform retransmission operations after an early fallback to TCP, as it uses these uninitialized values to calculate send buffer cleanup operations. The kernel's mptcp_clean_una function, which is part of the protocol's cleanup mechanism, receives corrupted snd_una values that cause it to trigger kernel warnings and potentially lead to system crashes. This behavior is particularly dangerous because it can occur during normal network operations and may not be easily detectable by standard monitoring tools.

The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the reliability of network services that depend on MPTCP functionality. When the kernel encounters corrupted sequence numbers during retransmission operations, it generates kernel oops messages and system warnings that indicate memory corruption or invalid state conditions. This can lead to complete system crashes, especially in environments where MPTCP is actively used for high-performance networking or in embedded systems where such failures could result in service disruption. The vulnerability affects systems running Linux kernel versions where MPTCP is enabled, particularly those with early fallback scenarios from MPTCP to standard TCP protocols.

The recommended mitigation strategy involves ensuring proper initialization of the snd_nxt field and associated write_seq field during connection establishment, rather than attempting to disable re-injection behavior which could mask other underlying issues. This approach aligns with security best practices for kernel-level protocol implementations and follows the principle of least privilege by ensuring all state variables are properly initialized before use. The fix addresses the root cause by guaranteeing that all sequence number tracking fields are initialized at connection time, preventing the propagation of uninitialized values that could lead to kernel memory corruption. This solution maintains the existing re-injection functionality that has proven useful for detecting subtle protocol issues while ensuring that the fundamental initialization problem is resolved.

This vulnerability relates to CWE-248, Uncaught Exception, and CWE-682, Incorrect Calculation, as it involves improper handling of uninitialized data and incorrect sequence number calculations within the kernel's networking stack. The issue also maps to ATT&CK technique T1499.004, Endpoint Detection Evasion, as the kernel panic conditions could potentially be exploited to disrupt system availability or hide malicious activity by causing system instability. The fix demonstrates proper defensive programming practices by ensuring all protocol state variables are initialized before being used in critical operations, which is essential for maintaining kernel stability and preventing potential denial-of-service conditions that could affect network availability.

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00267

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!