Skip to main content

Linux Kernel CVE-2026-46168

| EUVDEUVD-2026-32795 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-78r5-m85f-q5m9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to open MPTCP sockets; setsockopt call crashes kernel, so availability is High with no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 23:36 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix scheduling with atomic in timestamp sockopt

Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.

Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.

AnalysisAI

Scheduling-while-atomic kernel panic in the Linux kernel MPTCP subsystem allows a local low-privileged user to crash the host by setting timestamp socket options on an MPTCP socket. The defect stems from invoking sleepable helpers - sock_set_timestamp() and sock_set_timestamping() - inside the atomic context established by lock_sock_fast(), violating the kernel's non-sleeping constraint for spinlock holders. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time. Note: the 'Information Disclosure' tag applied by some sources appears incorrect - the actual impact is limited to availability (kernel panic/crash) with no confidentiality or integrity consequence per the CVSS vector.

Technical ContextAI

MPTCP (Multipath TCP, RFC 8684) is a Linux kernel transport-layer extension allowing a single TCP connection to use multiple network paths simultaneously. Its timestamp socket-option handler (the sockopt for SO_TIMESTAMP and SO_TIMESTAMPING) was implemented using lock_sock_fast(), a variant of the socket lock that acquires a BH spinlock and establishes an atomic (non-preemptible, non-sleepable) context. The sock_set_timestamp() and sock_set_timestamping() helpers internally invoke functions that may sleep (e.g., to acquire mutexes or call kmalloc with GFP_KERNEL). Calling sleepable code inside an atomic context violates the kernel scheduler's invariants, triggering a 'BUG: scheduling while atomic' kernel panic (OOPS/crash). The CWE classification was not assigned by NVD, but the root cause maps closely to CWE-667 (Improper Locking) or CWE-835 (Lock Order-Dependent Code in Sleepable Context). The fix replaces lock_sock_fast()/unlock_sock_fast() with the sleepable lock_sock()/release_sock() pair. The vulnerability was introduced starting at commit 9061f24bf82ec2e92dd1e7c10b98b680db023d31, corresponding roughly to the Linux 5.14 era when MPTCP timestamp sockopt support was added. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

The primary remediation is to upgrade to a patched kernel version. Upgrade to Linux 6.6.140 or later on the 6.6.x LTS branch, 6.12.88 or later on the 6.12.x branch, 6.18.30 or later on the 6.18.x branch, or 7.0.7 or later on the 7.0.x branch. Development systems tracking mainline should use 7.1-rc2 or a post-fix mainline commit. Patches are publicly available at the kernel.org stable git repository (https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d and related commits listed in references). Downstream distributors (Debian, Ubuntu, RHEL, SUSE, etc.) are expected to backport these fixes into their respective kernel packages - check the relevant distribution's security tracker for package availability. If an immediate kernel upgrade is not feasible and the deployment involves untrusted local users, a viable compensating control is to restrict MPTCP socket creation by loading a seccomp policy or using LSM rules (SELinux/AppArmor) that block setsockopt calls with SO_TIMESTAMP/SO_TIMESTAMPING on MPTCP sockets for non-privileged users; however, this may impact legitimate network monitoring applications that rely on kernel timestamping. Disabling MPTCP entirely via 'sysctl net.mptcp.enabled=0' eliminates the attack surface entirely if MPTCP is not operationally required, with the trade-off of losing multipath TCP functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy