{"api_version":"1","generated_at":"2026-04-25T19:25:05+00:00","cve":"CVE-2026-23321","urls":{"html":"https://cve.report/CVE-2026-23321","api":"https://cve.report/api/cve/CVE-2026-23321.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23321","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23321"},"summary":{"title":"mptcp: pm: in-kernel: always mark signal+subflow endp as used","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n  msk->pm.local_addr_used == 0\n  WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n  Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n  RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n  RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n  Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n  RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n  RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n  R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n  R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n  FS:  00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n   netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n   netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n   sock_sendmsg_nosec net/socket.c:727 [inline]\n   __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n   ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n   ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n   __sys_sendmsg net/socket.c:2678 [inline]\n   __do_sys_sendmsg net/socket.c:2683 [inline]\n   __se_sys_sendmsg net/socket.c:2681 [inline]\n   __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f66346f826d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n  RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n  R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n   </TASK>\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n   linked to the MPTCP endpoint will be sent ('signal' flag), but no\n   subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:28","updated_at":"2026-04-23 21:05:32"},"problem_types":["NVD-CWE-Other"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8","name":"https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290","name":"https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06","name":"https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb","name":"https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7","name":"https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df","name":"https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23321","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23321","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d93cf38fad9f66397093432b8917971a92ee0146 c5c877e140e5f46023a74a51e577ce5edd0a4be7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 64815ba15880ce5f99df075fa4104fef170ac7e5 05799c2f1ca5eb13d65764dda688d02021b65e06 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 85df533a787bf07bf4367ce2a02b822ff1fba1a3 67f34ab318807989b57dfdb0f79e2d4e57018290 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 85df533a787bf07bf4367ce2a02b822ff1fba1a3 a64aa7db39392add5be09dffaedbf1f0ce5554df git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 85df533a787bf07bf4367ce2a02b822ff1fba1a3 198824ccfa64ffebd918bf99c939bd8170a4a4d8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 85df533a787bf07bf4367ce2a02b822ff1fba1a3 579a752464a64cb5f9139102f0e6b90a1f595ceb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f21cc29bc13e86512621727a4388c8a7ad2716b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.17 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23321","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/mptcp/pm_kernel.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c5c877e140e5f46023a74a51e577ce5edd0a4be7","status":"affected","version":"d93cf38fad9f66397093432b8917971a92ee0146","versionType":"git"},{"lessThan":"05799c2f1ca5eb13d65764dda688d02021b65e06","status":"affected","version":"64815ba15880ce5f99df075fa4104fef170ac7e5","versionType":"git"},{"lessThan":"67f34ab318807989b57dfdb0f79e2d4e57018290","status":"affected","version":"85df533a787bf07bf4367ce2a02b822ff1fba1a3","versionType":"git"},{"lessThan":"a64aa7db39392add5be09dffaedbf1f0ce5554df","status":"affected","version":"85df533a787bf07bf4367ce2a02b822ff1fba1a3","versionType":"git"},{"lessThan":"198824ccfa64ffebd918bf99c939bd8170a4a4d8","status":"affected","version":"85df533a787bf07bf4367ce2a02b822ff1fba1a3","versionType":"git"},{"lessThan":"579a752464a64cb5f9139102f0e6b90a1f595ceb","status":"affected","version":"85df533a787bf07bf4367ce2a02b822ff1fba1a3","versionType":"git"},{"status":"affected","version":"0f21cc29bc13e86512621727a4388c8a7ad2716b","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/mptcp/pm_kernel.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.11"},{"lessThan":"6.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.17","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"6.1.106","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"6.6.46","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.17","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.5","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n  msk->pm.local_addr_used == 0\n  WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n  Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n  RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n  RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n  Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n  RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n  RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n  R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n  R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n  FS:  00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n   netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n   netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n   sock_sendmsg_nosec net/socket.c:727 [inline]\n   __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n   ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n   ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n   __sys_sendmsg net/socket.c:2678 [inline]\n   __do_sys_sendmsg net/socket.c:2683 [inline]\n   __se_sys_sendmsg net/socket.c:2681 [inline]\n   __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f66346f826d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n  RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n  R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n   </TASK>\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n   linked to the MPTCP endpoint will be sent ('signal' flag), but no\n   subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-04-13T06:04:30.241Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7"},{"url":"https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06"},{"url":"https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290"},{"url":"https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df"},{"url":"https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8"},{"url":"https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb"}],"title":"mptcp: pm: in-kernel: always mark signal+subflow endp as used","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23321","datePublished":"2026-03-25T10:27:15.125Z","dateReserved":"2026-01-13T15:37:45.996Z","dateUpdated":"2026-04-13T06:04:30.241Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:28","lastModifiedDate":"2026-04-23 21:05:32","problem_types":["NVD-CWE-Other"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.106","versionEndExcluding":"6.1.167","matchCriteriaId":"75FEAEE8-1847-4067-9D3F-081BACD0192D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.46","versionEndExcluding":"6.6.130","matchCriteriaId":"14A6EECD-9B49-41CE-8647-B8290B5D9942"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.5","versionEndExcluding":"6.11","matchCriteriaId":"13767DDC-103B-4D56-A645-54183332EEB1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.1","versionEndExcluding":"6.12.78","matchCriteriaId":"A34764B1-DEA1-40AD-A8F0-D1C5133B9ABF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.17","matchCriteriaId":"A5E006E4-59C7-43C1-9231-62A72219F2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*","matchCriteriaId":"4770BA57-3F3F-493B-8608-EC3B25254949"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23321","Ordinal":"1","Title":"mptcp: pm: in-kernel: always mark signal+subflow endp as used","CVE":"CVE-2026-23321","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23321","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n  msk->pm.local_addr_used == 0\n  WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n  WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n  Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n  RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n  RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n  Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n  RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n  RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n  R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n  R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n  FS:  00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n   netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n   netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n   sock_sendmsg_nosec net/socket.c:727 [inline]\n   __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n   ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n   ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n   __sys_sendmsg net/socket.c:2678 [inline]\n   __do_sys_sendmsg net/socket.c:2683 [inline]\n   __se_sys_sendmsg net/socket.c:2681 [inline]\n   __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f66346f826d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n  RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n  R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n   </TASK>\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n   linked to the MPTCP endpoint will be sent ('signal' flag), but no\n   subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---","Type":"Description","Title":"mptcp: pm: in-kernel: always mark signal+subflow endp as used"}]}}}