Incomplete Blacklist to Cross-Site Scripting in Linux kernel - CVE-2026-23321
Published: March 25, 2026
Vulnerability identifier: #VU124536
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23321
CWE-ID: CWE-692
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the MPTCP subsystem when handling endpoint removal. A local user can send a specially crafted sequence of netlink commands to trigger a kernel warning and system instability.
The attacker must be able to create and remove MPTCP endpoints with specific flags and manipulate connection states, which requires access to the MPTCP netlink interface.
How to mitigate CVE-2026-23321
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06
- https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8
- https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb
- https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290
- https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df
- https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7