This paper exposes a critical security vulnerability in Path MTU Discovery (PMTUD) under IP address sharing scenarios: attackers can remotely infer the initial TCP sequence numbers of co-located devices by measuring MTU variations and network latency—enabling cross-device TCP hijacking without direct path access and violating connection isolation. We propose the first PMTUD-based TCP state correlation inference model, integrating MTU observation, sequence number prediction, and latency side-channel analysis. Experiments demonstrate a 70% success rate within an average of 220 seconds; vulnerability scanning across 50 real-world networks—including public Wi-Fi, VPNs, and 5G—identified 38 vulnerable deployments. Our findings have been adopted and remediated by IETF standards, the Linux kernel, and Cisco.

Path MTU Discovery (PMTUD) and IP address sharing are integral aspects of modern Internet infrastructure. In this paper, we investigate the security vulnerabilities associated with PMTUD within the context of prevalent IP address sharing practices. We reveal that PMTUD is inadequately designed to handle IP address sharing, creating vulnerabilities that attackers can exploit to perform off-path TCP hijacking attacks. We demonstrate that by observing the path MTU value determined by a server for a public IP address (shared among multiple devices), an off-path attacker on the Internet, in collaboration with a malicious device, can infer the sequence numbers of TCP connections established by other legitimate devices sharing the same IP address. This vulnerability enables the attacker to perform off-path TCP hijacking attacks, significantly compromising the security of the affected TCP connections. Our attack involves first identifying a target TCP connection originating from the shared IP address, followed by inferring the sequence numbers of the identified connection. We thoroughly assess the impacts of our attack under various network configurations. Experimental results reveal that the attack can be executed within an average time of 220 seconds, achieving a success rate of 70%.Case studies, including SSH DoS, FTP traffic poisoning, and HTTP injection, highlight the threat it poses to various applications. Additionally, we evaluate our attack across 50 real-world networks with IP address sharing--including public Wi-Fi, VPNs, and 5G--and find 38 vulnerable. Finally, we responsibly disclose the vulnerabilities, receive recognition from organizations such as IETF, Linux, and Cisco, and propose our countermeasures.