CVE-2024-40931: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40931 affects the Linux kernel's MPTCP (Multipath TCP) implementation. The vulnerability was discovered on July 12, 2024, and involves an uninitialized variable issue in the MPTCP connection handling. Specifically, the snd_una variable is left uninitialized during connection establishment, which can be triggered by syzkaller during retransmission after fallback and before processing any incoming packets (NVD).

The vulnerability is classified as CWE-908 (Use of Uninitialized Resource) with a CVSS v3.1 base score of 5.5 (Medium). The issue occurs in the mptcpstreamconnect function where snduna is not properly initialized together with sndnxt and write_seq during connection establishment. This vulnerability affects multiple versions of the Linux kernel, including versions from 5.16 to 6.9.6 (NVD).

The vulnerability has been rated with a Medium severity impact. While there is no direct impact on confidentiality or integrity, it can affect the availability of the system. The uninitialized variable could lead to unexpected behavior during MPTCP connection handling (NVD).

The issue has been fixed by explicitly initializing snduna together with sndnxt and write_seq during connection establishment. The fix has been implemented in various Linux kernel versions, including 6.8.0-44.44 for Ubuntu 24.04 LTS and 5.15.0-121.131 for Ubuntu 22.04 LTS (Ubuntu).