Skip to main content

Linux Kernel CVE-2026-46170

| EUVDEUVD-2026-32797 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xrpw-xx6g-3jg3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects the specific socket reference-count state and timer scheduling timing required; no confidentiality or integrity impact applies.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 12:23 vuln.today
CVSS changed
Jun 11, 2026 - 12:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: free sk if last

When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.

If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().

But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on "itself".

AnalysisAI

The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.

Technical ContextAI

MPTCP (Multipath TCP, RFC 8684) extends TCP to allow a single connection to use multiple network paths simultaneously. The ADD_ADDR signal advertises additional IP addresses to the remote peer and is subject to kernel-managed retransmission via sk_reset_timer(). The Linux kernel socket reference counting mechanism distinguishes __sock_put() - which unconditionally decrements the refcount without acting on zero - from sock_put(), which checks for zero and calls sk_free() for final cleanup. The root cause is the use of __sock_put() in the ADD_ADDR retransmission timer handler, which means if the timer holds the final reference and is not rescheduled, the socket is never freed (memory leak). Attempting a naive fix by substituting sock_put() introduces a second-order deadlock: sk_free() calls sk_stop_timer_sync(), which attempts to synchronously wait for the very timer callback that called it, resulting in an indefinite hang. The correct fix requires marking the timer as inactive before potential sk_free() invocation. Affected CPE: cpe:2.3:o:linux:linux_kernel.

RemediationAI

Upgrade to a patched kernel version: Linux 6.18.30, 7.0.7, or 7.1-rc3. Upstream fix commits are available at https://git.kernel.org/stable/c/8143a224785ceaf2b0856e08d4498916f38228fb, https://git.kernel.org/stable/c/b74ad20198652b6b39a761c277ba65ae82b1e107, and https://git.kernel.org/stable/c/b7b9a461569734d33d3259d58d2507adfac107ed. If kernel patching is not immediately feasible, disabling MPTCP via 'sysctl -w net.mptcp.enabled=0' eliminates the attack surface entirely with the trade-off of losing all multipath TCP functionality; this setting can be applied live without reboot and made persistent via /etc/sysctl.conf. On systems where MPTCP is required, restricting local user access to socket creation via namespaces or seccomp profiles can reduce exposure, though these controls add operational complexity.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy