Skip to main content

Linux Kernel CVE-2026-46137

| EUVDEUVD-2026-32764 CRITICAL
Race Condition (CWE-362)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cmf4-rm73-rfhx
Critical
Disputed · 9.8 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:55 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: fix potential data-race

This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().

If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.

AnalysisAI

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.

Technical ContextAI

MPTCP (Multipath TCP, RFC 8684) is a TCP extension allowing a single transport connection to use multiple network paths simultaneously. The path manager (pm) component handles signaling such as ADD_ADDR options used to advertise additional addresses, with retransmission scheduled via a kernel timer. Timer callbacks execute in softirq context, so concurrent access to socket state must be serialized using bh_lock_sock(); the original code missed this, creating a classic kernel data-race pattern (CWE-362 class, although CWE is listed as N/A). The fix mirrors the keepalive timer pattern: take bh_lock_sock(), and if the socket is owned by user context (sock_owned_by_user), reschedule the timer shortly afterward instead of racing.

RemediationAI

Upstream fix available (commits 013dcdc1961543b9a3433466bc8c79a2f4ca75b5, 2ad56e434199ca24a812bb353667aa1c3860f513, 5cd6e0ad79d2615264f63929f8b457ad97ae550d, 6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3, cc3c0399361efaaf7ae64262eb3f70829b1189c6); upgrade to Linux 6.6.141, 6.12.91, 6.18.30, 7.0.7, or 7.1-rc3 or later, or apply your distribution's backport once published (track NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-46137). If patching is not immediately possible and MPTCP is not required for workloads, disable MPTCP via sysctl net.mptcp.enabled=0 (side effect: any application that opted into MPTCP via IPPROTO_MPTCP will fall back to plain TCP or fail to create sockets) or unload/blacklist the mptcp kernel module on systems where it is built modular. Restrict the ability to create MPTCP sockets via seccomp or sysctl-controlled net.mptcp.allow_join_initial_addr_port where the race window in the path manager would otherwise be reachable.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy