Skip to main content

Linux Kernel EUVDEUVD-2026-32785

| CVE-2026-46158 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vj5h-6xr8-8f8g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 23:24 vuln.today
CVSS changed
Jun 09, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: always decrease sk refcount

When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.

Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.

While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as "unlikely".

AnalysisAI

Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.

Technical ContextAI

The vulnerability resides in the MPTCP (Multipath TCP) path manager subsystem of the Linux kernel. MPTCP is a transport layer extension allowing a single TCP connection to utilize multiple network paths simultaneously; ADD_ADDR is the signaling option used to advertise additional addresses for path establishment. During ADD_ADDR retransmission, the kernel acquires a socket reference via sk_reset_timer() but several early-exit code paths within the retransmission handler returned directly without calling sock_put() to decrement the reference counter. This is a reference counting defect consistent with CWE-911 (Improper Update of Reference Count) or CWE-401 (Missing Release of Memory after Effective Lifetime) - though NVD lists no CWE for this entry. The fix consolidates cleanup at a new goto 'exit' label calling __sock_put() unconditionally, and removes a dead '!msk' null check that cannot occur given the MPTCP call graph. CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers all affected Linux kernel versions per NVD.

RemediationAI

Upgrade the Linux kernel to a patched release: version 6.18.30, 7.0.7, or 7.1-rc3 (or any later stable release). Upstream stable-tree fix commits are available at https://git.kernel.org/stable/c/25e37407442b8766ec2cf52fb4e31b5c3d3aeeae, https://git.kernel.org/stable/c/9634cb35af17019baec21ca648516ce376fa10e6, https://git.kernel.org/stable/c/acd3d3562315c99f3c0db16f0fcc5f0306638982, https://git.kernel.org/stable/c/9426265e157dd77ec237c795901ed4dea6d69b5c, and https://git.kernel.org/stable/c/b41dd76f3b9735096c21d3e799a2b9fe36498d57. If immediate patching is not feasible, disabling MPTCP entirely via 'sysctl -w net.mptcp.enabled=0' eliminates the vulnerable code path with the trade-off of disabling all Multipath TCP functionality on that host. Systems that do not use MPTCP are not exposed to this code path.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy