CVE-2026-53183
Received Received - Intake
Linux Kernel MPTCP Window Shrinkage Vulnerability

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In MPTCP connection, the `window` field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time. At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving. Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53183
EUVD
EUVD-2026-39274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's implementation of Multipath TCP (MPTCP). It involves the handling of the receive window (rcv wnd) in TCP subflows. Normally, the MPTCP-level receive window's right edge should not move backward, and this is enforced during DSS option generation. However, the TCP stack independently ensures that the TCP-level receive window's right edge does not move backward, which can cause an artificial inflation of the MPTCP receive window when data acknowledged at the TCP level is out-of-order in the MPTCP sequence space or lands in the backlog.

This mismatch can lead to incoming traffic exceeding the receiver's buffer size (rcvbuf) even when the sender behaves correctly. The fix forcibly allows the TCP subflow to shrink the TCP-level receive window regardless of the current network namespace setting, preventing this artificial inflation.

Impact Analysis

The vulnerability can cause the incoming traffic to exceed the receiver's buffer size, potentially leading to resource exhaustion or degraded performance on systems using MPTCP. This happens even if the sender is not misbehaving, meaning normal network traffic could trigger this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart