CVE-2026-46170
Memory Leak in Linux Kernel MPTCP PM
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability in the Linux kernel relates to the handling of the ADD_ADDR retransmission in the mptcp (Multipath TCP) protocol. Specifically, it involves improper freeing of socket references which can lead to indefinite waiting in the timer handling code. This could potentially cause resource leaks or system instability due to sockets not being freed properly.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's multipath TCP (mptcp) implementation, specifically related to the handling of ADD_ADDR retransmissions.
When an ADD_ADDR message is retransmitted, a socket (sk) is held in a reset timer function and released at the end. If this socket is the last reference being held, it is not properly freed because the wrong function (__sock_put()) is called instead of sock_put().
However, calling sock_put() on the last reference leads to a deadlock situation because it calls sk_free(), which tries to stop the timer synchronously on itself, causing an indefinite wait.
The fix involves marking the timer as done at the end of the timer handler if it has not been rescheduled, preventing the deadlock by avoiding calling sk_stop_timer_sync() on the same timer.