CVE-2024-26781: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-26781 is a vulnerability in the Linux kernel's MPTCP (Multipath TCP) subsystem that affects the subflow diagnostic functionality. The vulnerability was discovered and reported by Syzbot and Eric Dumazet, and was publicly disclosed in early 2024. The issue affects multiple versions of the Linux kernel, including versions 5.10.211, 5.15.150, 6.1.80, and versions from 6.6.19 up to 6.6.21 and 6.7.7 up to 6.7.9 (NVD).

The vulnerability involves a possible circular locking dependency in the subflow diagnostic functionality of MPTCP. The issue occurs when attempting to acquire a socket lock (k-sklock-AFINET6) while already holding a hash table lock (h->lhash2[i].lock), creating a potential deadlock situation. The vulnerability was assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a potential deadlock in the Linux kernel's MPTCP subsystem, specifically affecting the diagnostic functionality. This could result in system availability issues when attempting to use MPTCP diagnostic tools (Kernel Patch).

The vulnerability has been fixed in the Linux kernel through a patch that prevents dumping extended information for MPTCP subflow listeners, as this information was not particularly useful and caused the lock dependency issue. The fix was implemented by adding a check for TCP_LISTEN state and returning early in such cases (Kernel Patch). The fix has been backported to various stable kernel versions, including 5.10.216-1 for Debian systems (Debian LTS).