CVE-2024-57882: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57882 is a vulnerability in the Linux kernel's MPTCP (Multipath TCP) implementation, discovered and reported by Syzbot. The vulnerability was disclosed on January 15, 2025, affecting Linux kernel versions from 5.15 up to 6.13-rc3. The issue involves a TCP options overflow condition that could lead to memory corruption (NVD).

The vulnerability stems from a buggy MPTCP option length computation where the ADDADDR option incorrectly interacts with DSS (Data Sequence Signal) options. When both options are present, the ADDADDR option attempts to set information in mptcpoutoptions even when DSS is present. Since these options share union fields, this leads to corruption of the DSS binary layout. In worst-case scenarios, this corruption can exceed the computed length and potentially overwrite the skb shared info (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a general protection fault and potential system crash due to memory corruption. The issue manifests as a null pointer dereference and can lead to denial of service conditions in affected systems (NVD).

The issue has been fixed in the Linux kernel through a patch that enforces mutual exclusion between ADDADDR and DSS options in the mptcpestablishedoptionsadd_addr() function. The fix has been backported to multiple stable kernel versions (Kernel Patch). Users are advised to update their Linux kernel to a patched version.