CVE-2026-53183 - Vulnerability Details

- mptcp: allow subflow rcv wnd to shrink

Description

In the Linux kernel, the following vulnerability has been resolved:

mptcp: allow subflow rcv wnd to shrink

In MPTCP connection, the `window` field in the TCP header refers to the
MPTCP-level rcv_nxt and it's right edge should not move backward. Such
constraint is enforced at DSS option generation time.

At the same time, the TCP stack ensures independently that the TCP-level
rcv wnd right's edge does not move backward. That in turn causes artificial
inflating of the MPTCP rcv window when the incoming data is acked at the
TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).

As a consequence, the incoming traffic can exceed the receiver rcvbuf size
even when the sender is not misbehaving.

Prevent such scenario forcibly allowing the TCP subflow to shrink the
TCP-level rcv wnd regardless of the current netns setting.

Published: 2026-06-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Linux kernel’s MPTCP implementation, where a TCP subflow’s receive window can shrink even when the network namespace setting forbids it. This causes the MPTCP receive window to become artificially inflated, permitting incoming traffic to exceed the receiver buffer size even when the sender is not misbehaving, potentially leading to service disruption.

Affected Systems

Linux kernel versions before the fix; the CVE does not list specific affected releases, but the issue was resolved in later kernel versions.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is < 1%, indicating a low exploitation probability. The vulnerability is not catalogued in CISA KEV. An attacker with the ability to initiate or influence an MPTCP connection from an external source could craft traffic that triggers the over‑inflated receive window, potentially leading to service disruption or resource exhaustion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< bf364b0f10b27679140699821f88af7f01e2a6e3
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< b1fd13074f22105deec45aa02283e322733e0c2d
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< aa3861f40ac32706d9e97bfac76984613e278788
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< 653245266913f03fcf21cbca68eed5c197a33e52
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< c297a4e65c50a2b807d9309b22615080faffa8f3
`f3589be0c420a3137e5902d15705ced6a36f3f43`	affected	< da23be77e1292cd611e736c3aa17da633d7ddce7

Linux

affected

Version	Status	Constraints
`5.19`	affected	—
`0`	unaffected	< 5.19
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f3589be0c420a3137e5902d15705ced6a36f3f43,bf364b0f10b27679140699821f88af7f01e2a6e3)`	affected	code_commit	—
`[f3589be0c420a3137e5902d15705ced6a36f3f43,b1fd13074f22105deec45aa02283e322733e0c2d)`	affected	code_commit	—
`[f3589be0c420a3137e5902d15705ced6a36f3f43,aa3861f40ac32706d9e97bfac76984613e278788)`	affected	code_commit	—
`[f3589be0c420a3137e5902d15705ced6a36f3f43,653245266913f03fcf21cbca68eed5c197a33e52)`	affected	code_commit	—
`[f3589be0c420a3137e5902d15705ced6a36f3f43,c297a4e65c50a2b807d9309b22615080faffa8f3)`	affected	code_commit	—
`[f3589be0c420a3137e5902d15705ced6a36f3f43,da23be77e1292cd611e736c3aa17da633d7ddce7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.19`	affected	generic	—
`[0,5.19)`	unaffected	generic	—
`[6.1.176,6.2.0)`	unaffected	semver	—
`[6.6.143,6.7.0)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*)`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the MPTCP receive‑window shrink fix.
If a kernel upgrade cannot be performed immediately, disable MPTCP by setting the sysctl parameter net.mptcp.enable=0 or by removing the MPTCP kernel module.
Apply firewall rules to block MPTCP traffic from untrusted networks until the patched kernel is deployed.

Generated by OpenCVE AI on June 26, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/653245266913f03fcf21cbca68eed5c197a33e52
https://git.kernel.org/stable/c/aa3861f40ac32706d9e97bfac76984613e278788
https://git.kernel.org/stable/c/b1fd13074f22105deec45aa02283e322733e0c2d
https://git.kernel.org/stable/c/bf364b0f10b27679140699821f88af7f01e2a6e3
https://git.kernel.org/stable/c/c297a4e65c50a2b807d9309b22615080faffa8f3
https://git.kernel.org/stable/c/da23be77e1292cd611e736c3aa17da633d7ddce7
https://lore.kernel.org/linux-cve-announce/2026062555-CVE-2026-53183-a7a3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53183
https://www.cve.org/CVERecord?id=CVE-2026-53183

History

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026062555-CVE-2026-53183-a7a3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53183 https://www.cve.org/CVERecord?id=CVE-2026-53183
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In MPTCP connection, the `window` field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time. At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving. Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.
Title		mptcp: allow subflow rcv wnd to shrink
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/653245266913f03fcf21cbca68eed5c197a33e52 https://git.kernel.org/stable/c/aa3861f40ac32706d9e97bfac76984613e278788 https://git.kernel.org/stable/c/b1fd13074f22105deec45aa02283e322733e0c2d https://git.kernel.org/stable/c/bf364b0f10b27679140699821f88af7f01e2a6e3 https://git.kernel.org/stable/c/c297a4e65c50a2b807d9309b22615080faffa8f3 https://git.kernel.org/stable/c/da23be77e1292cd611e736c3aa17da633d7ddce7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:57.443Z

Updated: 2026-06-25T08:38:57.443Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53183

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53183 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T14:00:22Z

Weaknesses

CWE-131
Incorrect Calculation of Buffer Size

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object