CVE-2026-23169 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()

syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup()

Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready.

list_splice_init_rcu() can not be called here while holding pernet->lock spinlock.

Many thanks to Eulgyu Kim for providing a repro and testing our patches.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/05/2026

The vulnerability identified as CVE-2026-23169 represents a critical race condition within the Linux kernel's Multipath TCP (MPTCP) implementation, specifically affecting the mptcp_pm_nl_flush_addrs_doit() function. This flaw exists in the kernel's networking subsystem and particularly impacts the MPTCP protocol manager's network layer operations. The issue manifests as system crashes and instability when handling multipath TCP connections, with reported crashes occurring in related functions mptcp_pm_nl_get_local_id() and mptcp_pm_nl_is_backup() that are part of the same vulnerable code path. The root cause stems from improper synchronization mechanisms within the kernel's locking framework, where a spinlock is held while attempting to perform an RCU-aware operation that cannot be safely executed under such locking conditions.

The technical flaw occurs when list_splice_init() is invoked within mptcp_pm_nl_flush_addrs_doit() without proper RCU readiness, creating a scenario where the function attempts to manipulate a list structure while holding the pernet->lock spinlock. This violates fundamental kernel locking principles and creates a race condition that can lead to memory corruption and system crashes. The function list_splice_init_rcu() cannot be called in this context because the RCU grace period requirements cannot be satisfied while a spinlock is held, as the RCU mechanism requires specific synchronization protocols that conflict with spinlock acquisition. This improper synchronization pattern creates a dangerous state where concurrent access to network data structures can result in corrupted memory references and unpredictable behavior.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation and denial of service conditions within networked environments. Systems running Linux kernels with affected MPTCP implementations are at risk of experiencing spontaneous reboots, network connection disruptions, and potential data corruption during high-traffic network operations. The vulnerability affects network infrastructure devices, servers, and any system utilizing MPTCP for enhanced network connectivity, particularly in environments where multipath networking is actively used. Attackers could potentially exploit this race condition to cause persistent service disruption or gain elevated privileges through carefully crafted network traffic patterns that trigger the vulnerable code path.

Mitigation strategies for CVE-2026-23169 require immediate kernel updates from vendors that include the patched implementation of the mptcp_pm_nl_flush_addrs_doit() function with proper RCU synchronization. System administrators should prioritize applying security patches from their respective Linux distributions and monitor for any related kernel updates that address similar synchronization issues within the MPTCP subsystem. Organizations using custom kernel builds should ensure their MPTCP implementations include proper locking mechanisms and RCU compliance. The fix involves restructuring the code to ensure that RCU-aware operations occur outside of spinlock-protected sections, typically by reordering operations or using appropriate synchronization primitives such as RCU read locks. This vulnerability aligns with CWE-362, which describes race conditions in concurrent programming, and represents a specific instance of improper locking that could be categorized under ATT&CK technique T1059 for privilege escalation through kernel exploitation. Regular kernel security audits should be conducted to identify similar synchronization issues in other network subsystem components, as the underlying race condition pattern suggests potential for additional vulnerabilities in related kernel networking functions.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00129

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!