MEDIUM 5.5

CVE-2026-46158

CVE-2026-46158 is a resource leak in the Linux kernel's MPTCP (Multipath TCP) protocol implementation. When the kernel retransmits an ADD_ADDR control message, it fails to properly release a reference to a socket object in certain error paths, allowing the socket's memory to remain allocated longer than necessary. This leak occurs only when specific unlikely conditions are met during ADD_ADDR retransmission, making it a localized but real availability concern on systems handling MPTCP traffic.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end. Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak. While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as "unlikely".

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the MPTCP path manager's ADD_ADDR retransmission logic. When sk_reset_timer() holds a socket reference during retransmission, the code path should release it via sock_put() in all cases. However, several error-condition branches return early without decrementing the socket refcount, causing a reference leak. The patch introduces a common exit label that ensures __sock_put() is called unconditionally, eliminating premature returns. Additionally, dead code checks for a null msk pointer (which cannot occur) are removed, and the remaining null check is marked as unlikely to improve code clarity and performance.

Business impact

On servers or embedded systems running MPTCP-enabled kernels that experience repeated ADD_ADDR retransmissions (e.g., during network reconfigurations or failover events), this leak can gradually exhaust socket memory pools. While individual leaks are small, sustained MPTCP activity could eventually degrade system responsiveness or cause service interruptions. The impact is most acute on systems with constrained memory or high connection counts, and on kernel versions exposed to the buggy code path.

Affected systems

The vulnerability affects the Linux kernel, specifically versions that include the MPTCP subsystem with the unpatched ADD_ADDR retransmission logic. MPTCP support is available in mainline kernels from approximately version 5.6 onward, though adoption varies by distribution. Systems using MPTCP explicitly (via socket option IPPROTO_MPTCP) or those running distributions that enable MPTCP by default are at risk. Verify your kernel version and MPTCP configuration against the vendor advisory.

Exploitability

This is not a remotely exploitable vulnerability. It requires local access and MPTCP socket operations under specific retransmission conditions. The flaw manifests as a slow resource leak rather than a crash or privilege escalation, making it difficult to weaponize for immediate gain. However, a local unprivileged user with network access could potentially trigger repeated ADD_ADDR retransmissions to accelerate memory exhaustion, transforming it into a local denial-of-service vector over time.

Remediation

Apply the Linux kernel patch that introduces a common exit label in the MPTCP ADD_ADDR retransmission handler to ensure sock_put() is always called. Verify the patch against the official kernel advisory and your distribution's security bulletin. For systems unable to patch immediately, monitor socket memory consumption and consider disabling MPTCP if it is not required for your workload. Kernel version numbers containing this fix should be verified against the vendor advisory.

Patch guidance

Consult your Linux distribution's security advisory for the patched kernel version specific to your release. The patch modifies the MPTCP path manager code to use a centralized cleanup path. Update your kernel and reboot to activate the fix. If you maintain a custom kernel, apply the upstream patch directly and rebuild. Test the updated kernel in a non-production environment first to ensure stability and compatibility with your MPTCP workloads.

Detection guidance

Monitor kernel logs for repeated MPTCP-related warnings or errors during ADD_ADDR operations. Use tools like 'ss -tmi' to inspect MPTCP socket statistics and look for unusually high socket counts or memory usage in the MPTCP subsystem. Check dmesg for refcount imbalances or resource exhaustion messages. On systems with kmemleak enabled, enable it and run a long-lived workload to detect leaked socket allocations. Correlate socket memory growth with MPTCP activity to identify active exploitation or leakage.

Why prioritize this

Though assigned a MEDIUM severity score, this vulnerability merits prompt but measured attention. It is not remotely exploitable and requires either specific MPTCP usage patterns or local malicious action to cause appreciable harm. However, it represents a real resource leak that can degrade availability over time, particularly in MPTCP-heavy deployments or memory-constrained environments. Prioritize patching for systems where MPTCP is actively used or where memory is limited; defer for systems where MPTCP is disabled or rarely used.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects a locally-triggered attack vector (AV:L), low complexity, and no privileges required to access network namespaces (PR:L with unprivileged MPTCP sockets). The impact is denial of service through resource exhaustion (A:H) rather than confidentiality or integrity breach (C:N, I:N). The score acknowledges that the vulnerability requires local presence and specific MPTCP conditions to exploit, limiting its attack surface.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. This is a local resource leak in the MPTCP subsystem. It requires local access and MPTCP socket operations. It does not enable code execution or privilege escalation; it can only degrade availability through memory exhaustion if exploited repeatedly.

Do I need MPTCP enabled to be affected?

Yes. The vulnerability exists in MPTCP-specific code. If your kernel has MPTCP compiled out or if your applications do not use MPTCP sockets, you are not vulnerable. Check your kernel configuration and application requirements.

What is the timeline for patching?

The vulnerability was published on 2026-05-28 and modified on 2026-06-17. Consult your distribution's security advisory for patch availability and timelines. Most distributions release updates within days to weeks of an upstream fix.

Can this be exploited remotely by sending specially crafted packets?

No. The leak occurs in a local kernel code path that handles MPTCP ADD_ADDR retransmissions. Remote attackers cannot directly trigger it, though a local attacker with network stack access could craft MPTCP options to induce retransmissions.

This analysis is provided for informational purposes by SEC.co and should not be construed as legal or compliance advice. Vulnerability severity and exploitability assessments are based on the available technical data and may change as new information emerges. Always verify patch availability and compatibility against your vendor's official security advisory before applying updates. We do not provide exploit code or weaponized proof-of-concept material. Organizations are responsible for assessing their own exposure and implementing appropriate controls. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities