CVE-2026-46170 Linux CVE debrief

Who should care

Linux system administrators running kernels with MPTCP enabled; network infrastructure teams utilizing multipath TCP for redundancy or bandwidth aggregation; security teams tracking kernel-level networking vulnerabilities; organizations with custom kernel builds requiring manual patch application

Technical summary

The vulnerability exists in the MPTCP (Multipath TCP) path manager's ADD_ADDR retransmission handling. When an ADD_ADDR retransmission occurs, the socket is held via sk_reset_timer() and released at the end of the timer handler. If this represents the last reference to the socket, __sock_put() fails to properly free the socket. While sock_put() would correctly trigger sk_free() for the last reference, this creates a secondary problem: sk_free() calls sk_stop_timer_sync() on the same timer, causing an indefinite wait since the timer handler is still executing. The fix requires marking the timer as complete when not rescheduled, preventing sk_stop_timer_sync() from waiting on itself, and using sock_put() instead of __sock_put() to ensure proper socket deallocation when the last reference is released.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from distribution vendors
• Monitor Linux distribution security advisories for backported fixes to currently deployed kernel versions
• Review systems utilizing MPTCP for path management functionality to assess exposure
• Consider disabling MPTCP if not required until patches can be applied
• Validate kernel patch levels through standard system update mechanisms

Evidence notes

The vulnerability description indicates a fix has been committed to the Linux kernel stable branches. Three kernel.org stable commit references are provided, suggesting backports to multiple kernel versions. The CVE was published and modified on 2026-05-28, with NVD status 'Awaiting Analysis' at time of disclosure.

Official resources