External risk intelligence

Linux kernel flaw can allow attackers to take control of systems.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31669

An external attacker can exploit a memory error in the Linux kernel via network traffic to crash the system or gain administrative control. This could lead to unexpected service outages and unauthorized access to critical infrastructure.

3Halo Surface Signal

Use After Free

Linux Kernel

5.12.1 to before 5.15.2035.16 to before 6.1.1696.2 to before 6.6.1356.7 to before 6.12.826.13 to before 6.18.236.19 to before 6.19.135.127.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-31669

This vulnerability resides within the kernel's network stack handling MPTCP traffic. While Linux kernels are widely deployed as internet-facing systems, this specific networking feature is a protocol-level component rather than a public-facing application or edge gateway. It is reachable by an attacker with network access, but not explicitly designed as a public-facing portal.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical issue in the Linux kernel's networking component could allow attackers to corrupt memory, potentially leading to system instability or compromise. This vulnerability stems from how MPTCP handles certain network connections, allowing improper memory management during lookups.

  • Affects Linux kernel's MPTCP.
  • Exploitation can lead to crashes.
  • Requires network access to exploit.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this use-after-free flaw in the Linux kernel's MPTCP implementation by creating specific network conditions. This would target the kernel's internal socket handling during MPTCP IPv6 subflow setup. By triggering concurrent lookups and memory reuse, an attacker could crash the system or potentially achieve code execution within the kernel.

  • Network access required
  • MPTCP IPv6 subflow creation
  • Kernel memory corruption

Live Threat

Current exploitation, exposure, and threat context

This use-after-free in the Linux kernel's MPTCP implementation could allow an attacker to achieve remote code execution. The vulnerability is in a critical kernel component, making it attractive for exploitation if a reliable method to trigger it is found, especially given its network-reachable nature. Attackers generally favor kernel vulnerabilities due to their high potential impact, but the complexity of MPTCP and kernel memory management may pose a barrier to weaponization.

  • Unclear if exploit exists.
  • KEV not listed.
  • Recently patched.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Linux kernel instances affected by the slab-use-after-free vulnerability in MPTCP, as it allows for remote code execution or denial of service. Given the critical severity and network accessibility, immediate containment or isolation is crucial if patching is delayed. Monitor network traffic for signs of exploitation targeting MPTCP subflow connections.

  • Apply kernel patches; specific versions are noted in advisories.
  • Isolate or disable MPTCP services if patching is delayed.
  • Monitor for unusual MPTCP connection activity.

Frequently asked questions

What is the Linux kernel and MPTCP?

The Linux kernel is the core of the Linux operating system, managing hardware and software resources. MPTCP, or Multipath TCP, is an extension to the TCP protocol that allows a single connection to use multiple network paths simultaneously, potentially improving performance and reliability.

What kind of weakness does CVE-2026-31669 describe?

CVE-2026-31669 describes a slab-use-after-free vulnerability. This occurs when a program tries to access memory that has already been freed, which can lead to crashes or unintended behavior, and in some cases, could allow an attacker to execute code.

What conditions are needed to trigger this Linux kernel vulnerability?

To trigger this vulnerability, an attacker must be able to initiate MPTCP IPv6 subflow child socket creation. The bug is not triggered if the kernel's slab cache for TCPv6 sockets is correctly registered before MPTCP attempts to use it.

Who should be concerned about CVE-2026-31669?

Organizations running Linux kernels that handle MPTCP traffic, especially those with internet-facing systems, should be concerned. While not a direct public-facing application, its network reachability means it could be targeted by attackers with network access.

What are the first steps for responding to this Linux kernel threat?

The primary response is to apply the relevant Linux kernel patches as soon as possible. If immediate patching is not feasible, consider isolating or disabling MPTCP services to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified