Bug 2134380 (CVE-2022-4128) - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time
Summary: CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at...
Status: NEW
Alias: CVE-2022-4128
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2137858 2145214 2145215 2145216
Blocks: 2121459
TreeView+ depends on / blocked
Reported: 2022-10-13 10:08 UTC by Mauro Matteo Cascella
Modified: 2023-01-17 14:23 UTC (History)
35 users (show)

Fixed In Version: kernel 5.19
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference issue was discovered in the Linux kernel. This issue occurs in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could potentially crash the system, causing a denial of service.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2022-10-13 10:08:39 UTC
At disconnect time the MPTCP protocol traverse the subflows list closing each of them. In some circumstances - MPJ subflow, passive MPTCP socket, the latter operation can remove the subflow from the list, invalidating the current iterator. This could lead to a NULL pointer dereference issue.

Upstream patch & commit:

Comment 5 Mauro Matteo Cascella 2022-11-23 14:23:59 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2145216]

Comment 6 Justin M. Forbes 2022-11-30 20:06:12 UTC
This was fixed for Fedora with the 5.18.13 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.