CVE-2026-46158
MPTCP ADD_ADDR retransmission sk refcount leak fix
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Multipath TCP (mptcp) implementation, specifically in the handling of the ADD_ADDR retransmission timer (rtx). When an ADD_ADDR message is retransmitted, a socket reference (sk) is held in sk_reset_timer(). However, in some rare cases, the reference count for this socket was not properly decreased because certain checks returned early without calling sock_put(), which is responsible for releasing the socket reference. This could lead to a potential resource leak. The fix involves ensuring that sock_put() is always called by jumping to a common exit label, thereby properly decreasing the socket reference count.
How can this vulnerability impact me? :
The vulnerability can cause a resource leak in the Linux kernel's networking stack due to socket references not being properly released during ADD_ADDR retransmissions in Multipath TCP. Over time, this could lead to increased memory usage and potentially degrade system performance or stability if the leak accumulates. However, the description notes that the problematic checks are unlikely to occur, suggesting the impact might be limited or rare.