{"id":"CVE-2024-36889","summary":"mptcp: ensure snd_nxt is properly initialized on connect","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Modules linked in:\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  Workqueue: events mptcp_worker\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n  \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n  \t\u003c0f\u003e 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n  Call Trace:\n   \u003cTASK\u003e\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n   kthread+0x121/0x170 kernel/kthread.c:388\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n   \u003c/TASK\u003e\n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.","modified":"2026-03-20T12:36:50.180766Z","published":"2024-05-30T15:28:56.794Z","related":["ALSA-2024:8162","MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2024:2802-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36889.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012"},{"type":"WEB","url":"https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36889.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36889"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8fd738049ac3d67a937d36577763b47180aae1ad"},{"fixed":"99951b62bf20cec9247f633a3bea898338b9e5b4"},{"fixed":"dc941fec0719d0471a5902424d6b2a17df233193"},{"fixed":"39ca83ed73db9edcc6d70c0dc7a73085a4725012"},{"fixed":"aa0c07c1f20e05b30019bff083ec43665536f06f"},{"fixed":"592f69b41766d366dbb8ff4ef5a67c4396527bbe"},{"fixed":"fb7a0d334894206ae35f023a82cad5a290fd7386"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36889.json"}}],"schema_version":"1.7.5"}