CVE-2026-45889 - Vulnerability Details

- mptcp: do not account for OoO in mptcp_rcvbuf_grow()

Description

In the Linux kernel, the following vulnerability has been resolved:

mptcp: do not account for OoO in mptcp_rcvbuf_grow()

MPTCP-level OoOs are physiological when multiple subflows are active
concurrently and will not cause retransmissions nor are caused by
drops.

Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly
drifting towards tcp_rmem[2].

Remove such accounting. Note that subflows will still account for TCP-level
OoO when the MPTCP-level rcvbuf is propagated.

This also closes a subtle and very unlikely race condition with rcvspace
init; active sockets with user-space holding the msk-level socket lock,
could complete such initialization in the receive callback, after that the
first OoO data reaches the rcvbuf and potentially triggering a divide by
zero Oops.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a race condition in the Multi‑Path TCP (MPTCP) implementation of the Linux kernel. Out‑of‑order data is incorrectly counted in mptcp_rcvbuf_grow(), leading to a divide‑by‑zero error that triggers a kernel Oops and results in a system crash. This flaw does not give an attacker arbitrary code execution, but it can cause a denial‑of‑service if an attacker can force obsolete accounting by sending crafted MPTCP packets. The weakness is an arithmetic error and a race condition (CWE‑369, CWE‑362).

Affected Systems

The defect exists in the Linux kernel on all vendors that ship the upstream code with MPTCP support. Any system running the kernel before the fix and with MPTCP enabled is vulnerable. No specific version range is provided, so all such kernels are assumed affected until a kernel containing the patch is deployed.

Risk and Exploitability

The CVSS score is not available, and the EPSS score is not provided, so the precise likelihood of exploitation remains unknown. The issue is not listed in the CISA KEV catalog, indicating no confirmed exploitation in the wild. Although an attacker would need to orchestrate multiple MPTCP subflows and send out‑of‑order packets in a precise timing window to hit the race, the scenario is theoretically possible but unlikely to be actively abused.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e118cdc34dd109562b64f6a397f68cd33b041d5b`	affected	< fb7bf00b04a6b48859f52035d4e745848c2b4c79
`e118cdc34dd109562b64f6a397f68cd33b041d5b`	affected	< 400ee4854adef1e4983812a3decf6717ea020136
`e118cdc34dd109562b64f6a397f68cd33b041d5b`	affected	< 6b329393502e5857662b851a13f947209c588587

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e118cdc34dd109562b64f6a397f68cd33b041d5b,fb7bf00b04a6b48859f52035d4e745848c2b4c79)`	affected	code_commit	—
`[e118cdc34dd109562b64f6a397f68cd33b041d5b,400ee4854adef1e4983812a3decf6717ea020136)`	affected	code_commit	—
`[e118cdc34dd109562b64f6a397f68cd33b041d5b,6b329393502e5857662b851a13f947209c588587)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the MPTCP rcvbuf OoO accounting fix, as referenced in the kernel patch commits available at the provided URLs.
If an upgrade is not immediately possible, disable MPTCP by setting net.mptcp.mptcp_enabled=0 via sysctl or by using the appropriate kernel boot parameter, removing the vulnerable code path.
Apply network‑level mitigation by restricting or throttling MPTCP traffic to reduce the likelihood of a race condition being triggered, such as using firewall rules or rate limiting for TCP port 80/443 that use MPTCP.

Generated by OpenCVE AI on May 27, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136
https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587
https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79

History

Wed, 27 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-369

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.
Title		mptcp: do not account for OoO in mptcp_rcvbuf_grow()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136 https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587 https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:00.509Z

Updated: 2026-05-27T12:17:00.509Z

Reserved: 2026-05-13T15:03:33.082Z

Link: CVE-2026-45889

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:02.927

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45889

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object