CVE-2026-43029 - Vulnerability Details

- mptcp: fix soft lockup in mptcp_recvmsg()

Description

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix soft lockup in mptcp_recvmsg()

syzbot reported a soft lockup in mptcp_recvmsg() [0].

When receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not
removed from the sk_receive_queue. This causes sk_wait_data() to always
find available data and never perform actual waiting, leading to a soft
lockup.

Fix this by adding a 'last' parameter to track the last peeked skb.
This allows sk_wait_data() to make informed waiting decisions and prevent
infinite loops when MSG_PEEK is used.

[0]:
watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963]
Modules linked in:
CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:sk_wait_data+0x15/0x190
Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b
RSP: 0018:ffffc90000603ca0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800
RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101
R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18
R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000
FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0
Call Trace:
<TASK>
mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329
inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891
sock_recvmsg+0x94/0xc0 net/socket.c:1100
__sys_recvfrom+0xb2/0x130 net/socket.c:2256
__x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267
do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131
RIP: 0033:0x7f6e386a4a1d
Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41
RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
RAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d
RDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004
RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0
R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000
</TASK>

Published: 2026-05-01

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug occurs when an MPTCP socket receives data with both MSG_PEEK and MSG_WAITALL flags enabled. The code path leaves the socket buffer (skb) in the receive queue, causing the kernel’s waiting routine sk_wait_data() to repeatedly find data and never yield to the scheduler. This leads to an infinite busy‑loop that manifests as a soft CPU lockup lasting minutes, consuming the core and degrading system responsiveness or triggering a watchdog reboot.

Affected Systems

Any Linux kernel build that contains the original mptcp_recvmsg() implementation is vulnerable until the patch that tracks the last peeked skb is applied. The vulnerability is present in all mainstream releases before the commit 58b58b9, regardless of distribution, because the CNA lists only "Linux:Linux" and the affected‑version information is not specified. Administrators should verify if their kernel version precedes the patch and plan an upgrade accordingly.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate–high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so no public exploitation has been reported. Based on the description, the likely attack vector is a local or remote user‑space program that invokes recv() with MSG_PEEK | MSG_WAITALL on an MPTCP socket; no kernel privilege is required. An attacker can trigger a soft lockup that stalls the affected core, leading to service disruption or a forced reboot if a watchdog monitors the core.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8e04ce45a8db7a080220e86e249198fa676b83dc`	affected	< 58b58b9ba89c43914eea90c18928e51852d10c24
`8e04ce45a8db7a080220e86e249198fa676b83dc`	affected	< de3c248d1b69eaefa2d5b3da4005936dcf590f1b
`8e04ce45a8db7a080220e86e249198fa676b83dc`	affected	< 5dd8025a49c268ab6b94d978532af3ad341132a7
`49888b3b457b801282b44c246d289c56e2f2a55b`	affected	—
`0206a9341e652167c610dcd79f3d4e9e8153984c`	affected	—
`7d6d10eee01edc9c20850ea75cf8273dc1170921`	affected	—

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8e04ce45a8db7a080220e86e249198fa676b83dc,58b58b9ba89c43914eea90c18928e51852d10c24)`	affected	code_commit	—
`[8e04ce45a8db7a080220e86e249198fa676b83dc,de3c248d1b69eaefa2d5b3da4005936dcf590f1b)`	affected	code_commit	—
`[8e04ce45a8db7a080220e86e249198fa676b83dc,5dd8025a49c268ab6b94d978532af3ad341132a7)`	affected	code_commit	—
`49888b3b457b801282b44c246d289c56e2f2a55b`	affected	code_commit	—
`0206a9341e652167c610dcd79f3d4e9e8153984c`	affected	code_commit	—
`7d6d10eee01edc9c20850ea75cf8273dc1170921`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the mptcp_recvmsg() patch (commit 58b58b9 or later).
Reconfigure applications to avoid using MSG_PEEK with MSG_WAITALL on MPTCP sockets, or modify the code to remove those flags.
Enable a system watchdog or automatic reboot policy to recover from potential soft lockups, and monitor system logs for "soft lockup" or "watchdog" messages.

Generated by OpenCVE AI on May 2, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/58b58b9ba89c43914eea90c18928e51852d10c24
https://git.kernel.org/stable/c/5dd8025a49c268ab6b94d978532af3ad341132a7
https://git.kernel.org/stable/c/de3c248d1b69eaefa2d5b3da4005936dcf590f1b
https://lore.kernel.org/linux-cve-announce/2026050100-CVE-2026-43029-5cdf@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43029
https://www.cve.org/CVERecord?id=CVE-2026-43029

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://lore.kernel.org/linux-cve-announce/2026050100-CVE-2026-43029-5cdf@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43029 https://www.cve.org/CVERecord?id=CVE-2026-43029
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mptcp: fix soft lockup in mptcp_recvmsg() syzbot reported a soft lockup in mptcp_recvmsg() [0]. When receiving data with MSG_PEEK \| MSG_WAITALL flags, the skb is not removed from the sk_receive_queue. This causes sk_wait_data() to always find available data and never perform actual waiting, leading to a soft lockup. Fix this by adding a 'last' parameter to track the last peeked skb. This allows sk_wait_data() to make informed waiting decisions and prevent infinite loops when MSG_PEEK is used. [0]: watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963] Modules linked in: CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_wait_data+0x15/0x190 Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b RSP: 0018:ffffc90000603ca0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101 R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18 R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000 FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0 Call Trace: <TASK> mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329 inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891 sock_recvmsg+0x94/0xc0 net/socket.c:1100 __sys_recvfrom+0xb2/0x130 net/socket.c:2256 __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267 do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131 RIP: 0033:0x7f6e386a4a1d Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41 RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d RDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004 RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0 R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000 </TASK>
Title		mptcp: fix soft lockup in mptcp_recvmsg()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/58b58b9ba89c43914eea90c18928e51852d10c24 https://git.kernel.org/stable/c/5dd8025a49c268ab6b94d978532af3ad341132a7 https://git.kernel.org/stable/c/de3c248d1b69eaefa2d5b3da4005936dcf590f1b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:29.885Z

Updated: 2026-05-01T14:15:29.885Z

Reserved: 2026-05-01T14:12:55.976Z

Link: CVE-2026-43029

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:47.427

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43029

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43029 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses

CWE-606

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object