CVE-2026-53183
Analyzed Analyzed - Analysis Complete

Linux Kernel MPTCP Window Shrinkage Vulnerability

Vulnerability report for CVE-2026-53183, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In MPTCP connection, the `window` field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time. At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving. Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-06
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 5.19 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's implementation of Multipath TCP (MPTCP). It involves the handling of the receive window (rcv wnd) in TCP subflows. Normally, the MPTCP-level receive window's right edge should not move backward, and this is enforced during DSS option generation. However, the TCP stack independently ensures that the TCP-level receive window's right edge does not move backward, which can cause an artificial inflation of the MPTCP receive window when data acknowledged at the TCP level is out-of-order in the MPTCP sequence space or lands in the backlog.

This mismatch can lead to incoming traffic exceeding the receiver's buffer size (rcvbuf) even when the sender behaves correctly. The fix forcibly allows the TCP subflow to shrink the TCP-level receive window regardless of the current network namespace setting, preventing this artificial inflation.

Impact Analysis

The vulnerability can cause the incoming traffic to exceed the receiver's buffer size, potentially leading to resource exhaustion or degraded performance on systems using MPTCP. This happens even if the sender is not misbehaving, meaning normal network traffic could trigger this issue.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by allowing the TCP subflow to shrink the TCP-level receive window regardless of the current network namespace setting.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart