Description
In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: fix potential data-race

This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().

If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a race condition in the Linux kernel’s mptcp_pm_add_timer helper, which is executed as a timer callback in softirq context without acquiring the socket lock via bh_lock_sock(). The resulting concurrent modification of socket data structures can lead to data corruption, instability, or denial of service. This flaw is a data‑race weakness, classified as CWE‑821. Based on the documentation, it is inferred that an attacker could trigger the race by generating rapid socket activity, though no confirmed exploitation is reported.

Affected Systems

The affected systems are Linux kernel deployments that do not include the patch adding the bh_lock_sock() guard to the MPTCP logic. All kernel versions prior to the commit that introduced this protection, regardless of vendor specialization, are potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.8 and the EPSS score of < 1% indicate high severity with low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is local or remote with sufficient network activity to trigger the race in the timer callback. Attackers could attempt to cause rapid MPTCP socket operations to induce the race, potentially leading to system instability or denial of service. No successful exploitation has been documented, but the high severity means the flaw should be addressed promptly.

Generated by OpenCVE AI on May 30, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the bh_lock_sock() protection for mptcp_pm_add_timer (for example, use the latest stable release or apply the commit referenced at https://git.kernel.org/stable/c/013dcdc1961543b9a3433466bc8c79a2f4ca75b5).
  • If an immediate kernel upgrade is not possible, apply the commit that adds the bh_lock_sock() guard directly to the kernel source, rebuild the kernel, and install the patched build.
  • Disable MPTCP support by setting CONFIG_MPTCP=n in the kernel configuration or by disabling it at runtime with /proc/sys/net/mptcp/mptcp_enabled set to 0 to reduce exposure.

Generated by OpenCVE AI on May 30, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.
Title mptcp: pm: ADD_ADDR rtx: fix potential data-race
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:57:13.527Z

Reserved: 2026-05-13T15:03:33.100Z

Link: CVE-2026-46137

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:29.263

Modified: 2026-05-30T11:17:23.407

Link: CVE-2026-46137

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46137 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T15:00:07Z

Weaknesses
  • CWE-821

    Incorrect Synchronization