CVE-2026-45889
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in Linux Kernel MPTCP Implementation

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45889
EUVD
EUVD-2026-32355
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability relates to the Linux kernel's handling of Multipath TCP (MPTCP) receive buffer accounting. Specifically, the function mptcp_rcvbuf_grow() incorrectly accounted for out-of-order (OoO) packets at the MPTCP level, which are normal when multiple subflows are active and do not cause retransmissions or drops.

Because of this incorrect accounting, the receive buffer size (rcvbuf) could slowly drift towards the maximum TCP receive memory limit (tcp_rmem[2]). The fix removes this incorrect accounting while still maintaining TCP-level OoO accounting for each subflow.

Additionally, the fix addresses a subtle and unlikely race condition where active sockets with user-space holding the MPTCP socket lock could trigger a divide-by-zero kernel crash (Oops) when the first OoO data reached the receive buffer during initialization.

Impact Analysis

This vulnerability could cause the MPTCP receive buffer size to drift incorrectly, potentially leading to inefficient memory usage or unexpected behavior in network data handling.

More critically, the race condition could cause a kernel crash (divide-by-zero Oops), which may lead to system instability or denial of service on affected Linux systems using MPTCP.

Mitigation Strategies

The vulnerability has been resolved by removing the accounting for out-of-order (OoO) packets in the mptcp_rcvbuf_grow() function in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart