In the Linux kernel, the following vulnerability has been resolved:
mptcp: clear 'kern' flag from fallback sockets
The mptcp ULP extension relies on sk->sksockkern being set correctly: It prevents setsockopt(fd, IPPROTOTCP, TCPULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket).
But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work.
This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket:
BUG: KASAN: null-ptr-deref in subflowdataready+0x181/0x2b0 Call Trace: tcpdataready+0xf8/0x370 [..]