Skip to main content

Linux Kernel CVE-2026-45889

| EUVDEUVD-2026-32355 MEDIUM
Divide By Zero (CWE-369)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gh29-fq9g-3p7h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires precise timing of OoO arrival during rcvspace init with msk lock held, warranting AC:H; local-only AV:L and PR:L confirmed by CVSS and description.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:31 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mptcp: do not account for OoO in mptcp_rcvbuf_grow()

MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops.

Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2].

Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated.

This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.

AnalysisAI

Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's mptcp_rcvbuf_grow() function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the tcp_rmem[2] maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.

Technical ContextAI

MPTCP (Multipath TCP, RFC 8684) is a Linux kernel transport-layer extension enabling a single TCP connection to use multiple network paths concurrently via subflows. The vulnerable function mptcp_rcvbuf_grow() manages dynamic resizing of the MPTCP-level receive buffer. The root cause (CWE-369: Divide By Zero) arises because MPTCP-level out-of-order (OoO) packet counts were incorrectly included in receive buffer growth accounting. This creates a race window: an active socket can complete rcvspace initialization inside the receive callback - after the first OoO segment arrives - while userspace simultaneously holds the msk-level socket lock. When the division executes with an uninitialized (zero) divisor, a kernel Oops results. Independently, the incorrect OoO accounting causes gradual receive buffer inflation toward the system maximum tcp_rmem[2]. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patches are confirmed in Linux 6.18.14, 6.19.4, and 7.0 per EUVD data. Administrators should upgrade to these versions; the fix removes MPTCP-level OoO packet accounting from mptcp_rcvbuf_grow(), eliminating both the receive buffer drift and the race condition. Patch commits are at https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136 (6.18 branch), https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79 (6.19 branch), and https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587 (mainline). As a compensating control on unpatched systems, disabling MPTCP globally via sysctl -w net.mptcp.enabled=0 (and persisting in /etc/sysctl.conf) will prevent the vulnerable code path entirely, though this disables all MPTCP functionality for applications that rely on it. Restricting local user access to the system is the secondary compensating control, as exploitation requires PR:L.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy