Christoph Paasch

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the initialization of `snd una` in the Linux kernel's mptcp module. It is strictly related to a commit that ensures `snd nxt` is properly initialized on connect. The problem arises when syzkaller triggers a retransmit after fallback and before processing any other incoming packet, leaving `snd una` uninitialized. The issue is addressed by explicitly initializing `snd una` together with `snd nxt` and `write seq`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.37 Description: The issue is related to the mptcp component of the Linux kernel, where the `snd nxt` variable is not properly initialized on connect, leading to potential corruption of `snd una` values. When fallback to TCP happens early on a client socket, `snd nxt` is not yet initialized, and any incoming ack will copy such value into `snd una`. If the mptcp worker tries mptcp-level re-injection after such ack, it would unconditionally trigger a send buffer cleanup using 'bad' `snd una` values. This could potentially cause issues, but the impact is considered very low to zero in practice. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider disabling re-injection for fallback sockets to minimize the risk of exploitation. However, this workaround is not necessary if the kernel is updated to the fixed version.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The Linux kernel has a vulnerability that allows the socket state check at accept time to be relaxed. This issue was reported by Christoph and is caused by the reproducer invoking shutdown() before entering the listener status. After a specific commit, the child process can reach the accept syscall in FIN WAIT1 status. Eric noted that the existing assertion in inet accept() can be relaxed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0-rc5-gcd8bdf563d46 **Description** The issue arises from the TCP sockets and MPTCP subflows building egress packets larger than 64K, exceeding the maximum DSS data size. This results in the length being misrepresent on the wire and the stream being corrupted. The problem is observed on the receiver and is caused by the ` mptcp move skbs from subflow` function. The issue can be addressed by explicitly bounding the maximum GSO size to what MPTCP actually allows. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the maximum GSO size. At the moment, there is no information about a newer version that contains a fix for this vulnerability.