PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45889 Linux CVE debrief

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation could lead to a divide-by-zero kernel oops under specific race conditions. The issue stems from improper accounting of out-of-order (OoO) packets in the `mptcp_rcvbuf_grow()` function. MPTCP-level OoO packets are normal when multiple subflows are active and do not indicate packet loss or require retransmissions. However, accounting for them caused the receive buffer to gradually increase toward the maximum TCP receive memory limit (`tcp_rmem[2]`). More critically, this created a race condition where active sockets with userspace holding the MPTCP socket lock could complete receive space initialization in the receive callback after the first OoO data arrived, potentially triggering a divide-by-zero oops. The fix removes OoO accounting from `mptcp_rcvbuf_grow()` while preserving TCP-level OoO accounting on individual subflows when the MPTCP-level receive buffer is propagated.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernels with MPTCP enabled, particularly those using multipath TCP for redundancy or bandwidth aggregation across multiple network interfaces. Cloud providers and hosting environments offering MPTCP-enabled services should prioritize patching.

Technical summary

The vulnerability exists in the Linux kernel's MPTCP (Multipath TCP) subsystem, specifically in the `mptcp_rcvbuf_grow()` function. MPTCP allows a single TCP connection to use multiple network paths simultaneously, which naturally produces out-of-order packets at the MPTCP level as data arrives from different subflows at different times. Unlike TCP-level OoO packets, these MPTCP-level OoO packets are expected behavior and do not indicate congestion or packet loss. The flawed accounting treated these normal MPTCP OoO packets as indicators of network problems, causing the receive buffer to grow unnecessarily toward `tcp_rmem[2]`. Additionally, a race condition existed where the receive space initialization could complete after OoO data arrived, leading to a potential divide-by-zero kernel oops. The fix removes MPTCP-level OoO accounting from `mptcp_rcvbuf_grow()` while maintaining proper TCP-level OoO accounting on subflows.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant kernel patch from the stable kernel tree to affected systems running MPTCP
  • Monitor kernel logs for any MPTCP-related oops or divide-by-zero errors on systems prior to patching
  • Review MPTCP receive buffer configurations if experiencing unexpected memory growth on multi-subflow connections
  • Consider disabling MPTCP if not required and patching is not immediately feasible, though this may impact connectivity features that depend on multipath TCP

Evidence notes

The CVE description and kernel commit references confirm this is a resolved Linux kernel vulnerability affecting MPTCP. The fix removes problematic OoO accounting that caused both memory drift and a potential divide-by-zero race condition. Three stable kernel commits are referenced, indicating backports to multiple kernel versions.

Official resources

2026-05-27