{
  "threat_severity" : "Low",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mptcp: pm: in-kernel: always mark signal+subflow endp as used",
    "id" : "2451159",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451159"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\nmsk->pm.local_addr_used == 0\nWARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\nWARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\nWARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\nModules linked in:\nCPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\nHardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\nRIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\nRIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\nRIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\nCode: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\nRSP: 0018:ffffc90001663880 EFLAGS: 00010293\nRAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\nR10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\nR13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\nFS:  00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\nCall Trace:\n<TASK>\ngenl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\ngenl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\ngenl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\nnetlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\ngenl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\nnetlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\nnetlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\nnetlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\nsock_sendmsg_nosec net/socket.c:727 [inline]\n__sock_sendmsg+0xc9/0xf0 net/socket.c:742\n____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n__sys_sendmsg net/socket.c:2678 [inline]\n__do_sys_sendmsg net/socket.c:2683 [inline]\n__se_sys_sendmsg net/socket.c:2681 [inline]\n__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f66346f826d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\nRDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\nR13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n</TASK>\nThe actions that caused that seem to be:\n- Set the MPTCP subflows limit to 0\n- Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n- Create a new MPTCP connection from a different address: an ADD_ADDR\nlinked to the MPTCP endpoint will be sent ('signal' flag), but no\nsubflows is initiated ('subflow' flag)\n- Remove the MPTCP endpoint\n---truncated---" ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23321\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23321\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23321-6059@gregkh/T" ],
  "name" : "CVE-2026-23321",
  "csaw" : false
}