CVE-2026-46168 Linux CVE debrief

Who should care

Organizations running Linux systems with MPTCP enabled, particularly those using timestamp socket options for network diagnostics or performance monitoring. Cloud providers and hosting platforms with customer-controlled networking may face elevated risk if unprivileged users can trigger the vulnerable code path.

Technical summary

The MPTCP subsystem in the Linux kernel used lock_sock_fast() to protect timestamp socket option operations. This function provides atomic context locking, but the called helpers sock_set_timestamp() and sock_set_timestamping() can sleep. When a sleepable function is invoked in atomic context, the kernel's scheduler detects the violation and typically triggers a panic. The resolution replaces lock_sock_fast()/unlock_sock_fast() with lock_sock()/release_sock(), which properly allows sleeping. The presence of five stable kernel commits suggests this fix has been backported to multiple maintained kernel release branches.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor vendor security advisories for patched kernel versions
• If running custom MPTCP-enabled kernels, review and apply the upstream fix
• Consider disabling MPTCP if not required and patches are unavailable, though this may impact network functionality

Evidence notes

The vulnerability description indicates that lock_sock_fast() creates an atomic context, while sock_set_timestamp() and sock_set_timestamping() are sleepable operations. This mismatch can trigger a kernel panic. The fix replaces the atomic fast lock with sleepable lock_sock()/release_sock() primitives. Five stable kernel commits are referenced, suggesting backports to multiple supported kernel versions.

Official resources