CVE-2026-46137
Race Condition in Linux Kernel MPTCP PM ADD_ADDR Timer
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's multipath TCP (mptcp) implementation, specifically in the pm (path manager) component's ADD_ADDR retransmission logic. The issue arises because the mptcp_pm_add_timer() function, which is executed as a timer callback in a softirq context, does not properly hold the socket lock using bh_lock_sock(). This can lead to potential data races when accessing the socket.
To fix this, the socket lock must be held during the timer callback to prevent concurrent access issues. If the socket is currently in use, the timer should retry soon after, similar to the behavior of the keepalive timer.
How can this vulnerability impact me? :
The vulnerability could lead to data races in the Linux kernel's multipath TCP implementation, which may cause unpredictable behavior such as data corruption, crashes, or other stability issues in systems using this feature.
Such instability could affect network communication reliability and potentially lead to denial of service or other operational disruptions.