CVE-2026-46168
A vulnerability in the Linux kernel's multipath TCP (MPTCP) implementation allows a local attacker with standard user privileges to trigger a denial-of-service condition. The issue stems from improper locking during socket option handling for timestamps. When the kernel attempts to set timestamp options, it uses a fast atomic lock that cannot safely call functions designed to sleep, resulting in a kernel panic. An unprivileged user can exploit this by making specific socket option calls, causing the system to crash or become unresponsive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix scheduling with atomic in timestamp sockopt Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep. Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46168 involves a scheduling-while-atomic bug in the Linux kernel's MPTCP subsystem. The vulnerable code path uses lock_sock_fast(), which operates in atomic context and disables preemption, while subsequently calling sock_set_timestamp() and sock_set_timestamping(). Both of these helper functions perform operations that may sleep (such as memory allocation or mutex operations), creating a dangerous condition. When a sleeping operation occurs while holding an atomic lock, the kernel panics with a 'scheduling while atomic' error. The fix replaces the atomic lock_sock_fast() with the sleepable lock_sock() and release_sock() pair, allowing safe execution of timestamp configuration.
Business impact
This vulnerability enables local denial-of-service attacks against any Linux system running an affected kernel version. An unprivileged user can crash the system without requiring root access, causing service interruption, data loss risk during uncontrolled shutdown, and operational disruption. For cloud providers and multi-tenant environments, a single compromised or malicious user account can impact all tenants on the affected host. The attack requires no special tools or exploit code—only standard socket programming capabilities—making it trivially accessible to attackers.
Affected systems
The Linux kernel is affected, specifically versions that include the vulnerable MPTCP timestamp socket option handling code path. Determine which kernel versions in your infrastructure may be impacted by cross-referencing your current kernel versions against the Linux kernel security advisories and vendor patches. Both stable and long-term support kernels may be affected depending on their release date and maintenance status relative to the vulnerability discovery date of 2026-05-28.
Exploitability
Exploitability is relatively high for local attackers. The attack requires only local user access (no root privileges needed) and involves triggering the vulnerable code path through standard socket operations—specifically manipulation of timestamp socket options on MPTCP-enabled connections. No special knowledge of kernel internals, no race conditions requiring precise timing, and no complex setup is required. However, remote exploitation is not possible; attackers must have a local account on the target system. The lack of KEV (Known Exploited Vulnerability) status does not indicate absence of active exploitation.
Remediation
Apply kernel updates provided by your Linux distribution that include the scheduling-while-atomic fix for MPTCP timestamp handling. Verify that your kernel version incorporates the change replacing lock_sock_fast() with lock_sock()/release_sock() around timestamp socket option calls. If immediate patching is not possible, restrict local user account creation and implement strict access controls to limit the number of users who can access affected systems. Monitor for kernel panic logs containing 'scheduling while atomic' messages as an indicator of attempted or successful exploitation.
Patch guidance
Contact your Linux distribution vendor or check their security advisory repository for a kernel update addressing this issue. Patch availability and timing vary by distribution and kernel branch (mainline, stable, LTS). Test any kernel updates in a non-production environment first to ensure compatibility with your workloads. Coordinate with your infrastructure team to schedule reboots required for kernel updates. Verify the patched kernel version contains the commit that replaces lock_sock_fast() with sleepable locking in the MPTCP timestamp path by reviewing the distribution's security advisory or kernel changelog.
Detection guidance
Monitor system logs for 'BUG: scheduling while atomic' kernel panic messages, particularly those originating from MPTCP or socket option handling code paths. Enable kernel debugging if operationally feasible to capture more detailed stack traces. Correlate such panics with recent socket option calls or connections using MPTCP. Implement process monitoring to detect repeated socket option modifications that might indicate exploitation attempts. Check running kernel version against known-patched versions using tools like 'uname -r' and cross-reference against your vendor's advisory.
Why prioritize this
This vulnerability scores MEDIUM (5.5) due to the requirement for local access and the limitation to denial-of-service impact (no code execution or data breach). However, prioritize patching in environments with high local user density (shared systems, CI/CD runners, container clusters), multi-tenant cloud platforms, and systems where unavailability carries operational or financial consequences. The simplicity of exploitation and the lack of privilege escalation requirements warrant faster remediation than the CVSS score alone might suggest for high-availability deployments.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (requires local access), Attack Complexity Low (straightforward to trigger), Privileges Required Low (standard user can exploit), User Interaction None (no user action needed), and Impact limited to Availability (denial of service only—no confidentiality or integrity impact). The score appropriately penalizes the local-only attack surface but recognizes the severity of denial-of-service impact to system stability. Organizations running high-availability services or with extensive local user populations should treat this as higher priority than the base score indicates.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46168 requires local user access to the affected system. Remote attackers cannot trigger this vulnerability without first obtaining a local account or shell access through another means.
Does this vulnerability allow privilege escalation?
No. The vulnerability results in denial-of-service (system crash) only. It does not provide a pathway to gain elevated privileges. However, an attacker who can crash a system may be able to cause other damage during the uncontrolled shutdown or subsequent recovery.
Which Linux distributions are affected?
All distributions shipping the vulnerable Linux kernel version are affected. Check your distribution's security advisory for specific kernel version numbers. The vulnerability exists in the mainline kernel and will gradually appear in stable and LTS branches depending on kernel release timing.
What is MPTCP and why does this matter?
Multipath TCP (MPTCP) is a kernel feature enabling a single TCP connection to use multiple network paths simultaneously for improved performance and resilience. While not enabled by default on all systems, it is increasingly used in containerized environments and advanced networking setups. If your system has MPTCP compiled in, you are exposed to this vulnerability.
This analysis is based on the CVE entry and public Linux kernel security information available as of the publication date. CVSS scores and severity ratings are provided by the National Vulnerability Database and should be validated against your organization's risk assessment framework. Exploitation proof-of-concepts and detailed attack walkthroughs are intentionally omitted. Verify all patch versions and specific affected kernel versions against your Linux distribution's official security advisory before deploying updates. SEC.co does not provide real-time threat intelligence feeds; consult your security vendor or the Linux kernel mailing list for the latest exploitation status and community guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Browse
Related vulnerabilities
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUM
CVE-2026-10912: Chrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUM
CVE-2026-10916: Chrome DevTools UXSS Vulnerability | SEC.co Analysis
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUM
CVE-2026-11004: Chrome ANGLE Out-of-Bounds Read Memory Disclosure