CVE-2026-43029
Awaiting Analysis Awaiting Analysis - Queue
Soft lockup in Linux kernel MPTCP implementation

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix soft lockup in mptcp_recvmsg() syzbot reported a soft lockup in mptcp_recvmsg() [0]. When receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not removed from the sk_receive_queue. This causes sk_wait_data() to always find available data and never perform actual waiting, leading to a soft lockup. Fix this by adding a 'last' parameter to track the last peeked skb. This allows sk_wait_data() to make informed waiting decisions and prevent infinite loops when MSG_PEEK is used. [0]: watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963] Modules linked in: CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_wait_data+0x15/0x190 Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b RSP: 0018:ffffc90000603ca0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101 R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18 R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000 FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0 Call Trace: <TASK> mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329 inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891 sock_recvmsg+0x94/0xc0 net/socket.c:1100 __sys_recvfrom+0xb2/0x130 net/socket.c:2256 __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267 do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131 RIP: 0033:0x7f6e386a4a1d Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41 RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d RDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004 RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0 R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000 </TASK>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43029
EUVD
EUVD-2026-26628
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19.0-rc8
linux_kernel linux_kernel 6.19.0-rc8
linux linux_kernel to 6.19.0-rc8 (inc)
linux linux_kernel *
linux_kernel mptcp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's multipath TCP (mptcp) implementation, specifically in the mptcp_recvmsg() function.

When receiving data with the MSG_PEEK and MSG_WAITALL flags, the socket buffer (skb) is not removed from the receive queue as it should be. This causes the function sk_wait_data() to always find data available and never actually wait for new data, leading to a soft lockup where the CPU gets stuck in an infinite loop.

The fix involves adding a parameter to track the last peeked skb, allowing sk_wait_data() to make correct waiting decisions and prevent the infinite loop when MSG_PEEK is used.


How can this vulnerability impact me? :

This vulnerability can cause a soft lockup in the Linux kernel, meaning the CPU can become stuck in an infinite loop while handling certain network operations involving multipath TCP.

Such a lockup can lead to system unresponsiveness or degraded performance, potentially causing denial of service conditions on affected systems.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a soft lockup in the Linux kernel when receiving data with MSG_PEEK | MSG_WAITALL flags, leading to the CPU being stuck. Detection involves monitoring for soft lockup warnings or CPU stalls related to mptcp_recvmsg().

You can check your system logs (e.g., dmesg or /var/log/messages) for soft lockup messages mentioning mptcp_recvmsg or CPU stuck warnings.

  • Run the command: dmesg | grep -i 'soft lockup'
  • Check for processes stuck in kernel mode related to mptcp_recvmsg using: ps -eo pid,comm,state,wchan | grep mptcp_recvmsg
  • Monitor CPU usage and kernel stack traces for signs of infinite loops or lockups.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a kernel patch that modifies mptcp_recvmsg() to prevent the soft lockup by properly handling MSG_PEEK | MSG_WAITALL flags.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating is not immediately possible, avoid using applications or network operations that use MSG_PEEK combined with MSG_WAITALL flags in MPTCP sockets.
  • Monitor system logs for signs of soft lockups and reboot the system if a lockup occurs.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart