CVE-2026-46137 Linux CVE debrief

Who should care

Linux kernel maintainers, network infrastructure operators using MPTCP, cloud providers offering multipath TCP services, and organizations with custom kernel builds utilizing MPTCP path management features.

Technical summary

The vulnerability exists in mptcp_pm_add_timer(), a timer callback running in softirq context within the MPTCP (Multipath TCP) path manager. The function handles ADD_ADDR (add address) retransmissions but failed to acquire the socket lock using bh_lock_sock(), leading to potential data races when the socket is simultaneously in use by other kernel paths. The resolution adds proper bottom-half socket locking and implements retry logic—mirroring the keepalive timer behavior—when the socket cannot be immediately locked. Five stable kernel commits address this across affected versions.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from official Linux stable branches when available
• Monitor distribution security advisories for backported fixes
• Review MPTCP configurations for critical path manager deployments
• Validate kernel lockdep testing in staging environments
• Consider disabling MPTCP if not required until patches are applied

Evidence notes

Official CVE record published 2026-05-28. Kernel.org git commits confirm the fix was applied to stable kernel branches. No CVSS score or severity assigned by NVD at time of disclosure (status: Awaiting Analysis).

Official resources