Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, no auth or interaction within an MPTCP session, availability-only impact via rcvbuf overrun; MPTCP being enabled is a config dependency rather than per-attack complexity, so AC:L.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
mptcp: allow subflow rcv wnd to shrink
In MPTCP connection, the window field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time.
At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving.
Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.
AnalysisAI
Resource exhaustion in the Linux kernel's MPTCP (Multipath TCP) subsystem lets a remote peer drive incoming traffic past the receiver's configured rcvbuf size by breaking receive-window accounting. The defect arises because the TCP-level receive window is prevented from shrinking while the MPTCP-level window is independently constrained, so when data is acked at the TCP level but is out-of-order in MPTCP sequence space (or backlogged), the advertised MPTCP window is artificially inflated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host has MPTCP enabled and that the connection actually negotiates Multipath TCP, since the flaw lives entirely in MPTCP subflow window handling and not in plain TCP - on kernels or distributions where MPTCP is disabled or unused, the code path is unreachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and indicate a moderate, low-urgency availability bug rather than a top priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote peer opens an MPTCP connection to a vulnerable Linux host and sends data crafted to land out-of-order in MPTCP sequence space (or in the backlog) while being acked at the TCP level, causing the host to advertise an inflated receive window. Sustained traffic then exceeds the receiver's rcvbuf allocation, driving excess memory consumption and degraded availability without authentication. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux stable release - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on the matching branch). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems with MPTCP enabled and determine affected kernel versions across your distribution vendors (RHEL, Ubuntu, Debian, SUSE, etc.). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39274
GHSA-wxvq-pwv2-xpc3