CVE-2022-49669

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition in the Linux kernel's mptcp socket handling can lead to a use-after-free (UaF) access. This occurs when the listener socket owning a relevant request is closed, freeing unaccepted subflows and causing the deletion of paired MPTCP sockets. If the mptcp socket's worker runs during this time interval, accessing msk->first can result in a UaF access because the subflow cleanup did not clear this field in the mptcp socket.

Recommendations To address this issue, explicitly traverse the listener socket accept queue at close time and perform the needed cleanup on the pending msk. Ensure that the locking is properly handled by acquiring the msk socket lock while still owning the subflow socket one. At the moment, there is no information about a newer version that contains a fix for this vulnerability.