Description
In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: free sk if last

When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),
and released at the end.

If at that moment, it was the last reference being held, the sk would
not be freed. sock_put() should then be called instead of __sock_put().

But that's not enough: if it is the last reference, sock_put() will call
sk_free(), which will end up calling sk_stop_timer_sync() on the same
timer, and waiting indefinitely to finish. So it is needed to mark that
the timer is done at the end of the timer handler when it has not been
rescheduled, not to call sk_stop_timer_sync() on "itself".
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s Multipath TCP handling of retransmitted ADD_ADDR messages. When a retransmission occurs, the socket structure is placed on a retry timer and released only at the timer’s completion. If this socket is the last reference, the code incorrectly releases it, leading the kernel to wait indefinitely for a timer that has already finished. This deadlock can cause the system or affected process to hang, preventing further network communication and potentially exhausting resources. The primary consequence is a denial of service that could be triggered during normal MPTCP operation.

Affected Systems

All Linux kernel implementations (Linux:Linux) are affected, as the issue is observed in the core kernel code. No specific version ranges are listed; any kernel build containing the buggy code path is susceptible.

Risk and Exploitability

The bug has an EPSS score of less than 1%, and it is not listed in the CISA KEV catalog. The CVSS score of 5.5 indicates a moderate level of severity. Because the flaw involves kernel memory management and timer handling, exploitation requires the ability to trigger a retransmission of an ADD_ADDR packet and to hold the last reference to the socket. This likely demands local privilege escalation or the execution of privileged code on the host. The attack vector is inferred to be a local kernel exploit rather than an externally reachable network service, given the internal nature of the fault.

Generated by OpenCVE AI on June 11, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that contains the fix for the ADD_ADDR retry handling
  • If an immediate kernel upgrade is not possible, restrict or audit processes that trigger MPTCP ADD_ADDR retransmissions to mitigate potential hangs
  • Consult the kernel commit history or vendor advisories for the exact patch reference and apply it accordingly

Generated by OpenCVE AI on June 11, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-540
CWE-589

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-540
CWE-589

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: free sk if last When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put(). But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on "itself".
Title mptcp: pm: ADD_ADDR rtx: free sk if last
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:59:51.915Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46170

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:32.650

Modified: 2026-06-11T12:19:56.883

Link: CVE-2026-46170

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46170 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T19:45:37Z

Weaknesses