CVE-2026-31669

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A slab-use-after-free issue exists in the inet lookup established() function. The problem occurs because MPTCP v6 subflow child sockets are allocated via kmalloc instead of the TCPv6 slab cache due to an initialization order error where tcpv6 prot override.slab remains NULL. Because the kmalloc-4k cache lacks the SLAB TYPESAFE BY RCU flag, memory can be reused immediately after being freed. Consequently, concurrent ehash lookups under rcu read lock may access freed memory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.