Description
In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: always decrease sk refcount

When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.

Some (unlikely) checks were returning directly instead of calling
sock_put() to decrease the refcount. Jump to a new 'exit' label to call
__sock_put() (which will become sock_put() in the next commit) to fix
this potential leak.

While at it, drop the '!msk' check which cannot happen because it is
never reset, and explicitly mark the remaining one as "unlikely".
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in the Linux kernel's Multipath TCP implementation caused the reference count for sockets used in ADD_ADDR retransmissions to be decreased incorrectly, which can allow sockets to remain allocated indefinitely. The resulting memory leak can grow kernel memory consumption until the system exhausts available resources, potentially leading to a denial‑of‑service condition if the leak is pronounced. The vulnerability is a flaw in resource management, directly impacting kernel stability and availability.

Affected Systems

The flaw exists in the Linux kernel's MPTCP subsystem and affects any kernel version prior to the commit that corrected the reference count handling. No specific kernel release is listed, so all affected kernels before the patch are at risk. The vulnerability is present on all Linux systems that have MPTCP enabled and have not been updated to the fixed version.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.5 indicates a medium severity, but the kernel-level nature of the flaw and its ability to leak memory still pose a serious threat. Based on the description, the likely attack vector is an attacker capable of sending crafted or retransmitted MPTCP ADD_ADDR packets to the target, which would require either local or remote network access to the kernel. Because the exploit requires repeated retransmissions, it is considered unlikely to be widely abused, yet the impact if successful would be significant.

Generated by OpenCVE AI on June 9, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the patch for the ADD_ADDR refcount issue
  • If an immediate kernel upgrade is not viable, consider disabling or limiting MPTCP to prevent the vulnerable code path from being exercised
  • Monitor kernel memory usage for abnormal growth that may indicate the leak is occurring

Generated by OpenCVE AI on June 9, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end. Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak. While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as "unlikely".
Title mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:53.619Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46158

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:31.460

Modified: 2026-06-09T21:02:30.857

Link: CVE-2026-46158

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46158 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses