Skip to main content

Linux Kernel CVE-2026-53183

| EUVDEUVD-2026-39274 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wxvq-pwv2-xpc3
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, no auth or interaction within an MPTCP session, availability-only impact via rcvbuf overrun; MPTCP being enabled is a config dependency rather than per-attack complexity, so AC:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:24 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mptcp: allow subflow rcv wnd to shrink

In MPTCP connection, the window field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time.

At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).

As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving.

Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.

AnalysisAI

Resource exhaustion in the Linux kernel's MPTCP (Multipath TCP) subsystem lets a remote peer drive incoming traffic past the receiver's configured rcvbuf size by breaking receive-window accounting. The defect arises because the TCP-level receive window is prevented from shrinking while the MPTCP-level window is independently constrained, so when data is acked at the TCP level but is out-of-order in MPTCP sequence space (or backlogged), the advertised MPTCP window is artificially inflated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish MPTCP connection to host
Delivery
Send data acked at TCP but OoO in MPTCP space
Exploit
Inflate advertised MPTCP receive window
Execution
Push traffic beyond rcvbuf limit
Impact
Exhaust receive memory and degrade availability

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host has MPTCP enabled and that the connection actually negotiates Multipath TCP, since the flaw lives entirely in MPTCP subflow window handling and not in plain TCP - on kernels or distributions where MPTCP is disabled or unused, the code path is unreachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and indicate a moderate, low-urgency availability bug rather than a top priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote peer opens an MPTCP connection to a vulnerable Linux host and sends data crafted to land out-of-order in MPTCP sequence space (or in the backlog) while being acked at the TCP level, causing the host to advertise an inflated receive window. Sustained traffic then exceeds the receiver's rcvbuf allocation, driving excess memory consumption and degraded availability without authentication. …
Remediation Vendor-released patch: upgrade to a fixed Linux stable release - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on the matching branch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems with MPTCP enabled and determine affected kernel versions across your distribution vendors (RHEL, Ubuntu, Debian, SUSE, etc.). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy