CVE-2026-46137 Overview
CVE-2026-46137 is a data race vulnerability in the Linux kernel's Multipath TCP (MPTCP) path manager. The flaw resides in the mptcp_pm_add_timer() helper, which runs as a timer callback in softirq context. Without holding the socket lock via bh_lock_sock(), concurrent access to socket state can produce a race condition between the timer callback and other socket operations.
The upstream fix synchronizes timer execution with socket locking and reschedules the timer when the socket is in use, mirroring the approach used by the keepalive timer. The issue affects kernels that ship the MPTCP ADD_ADDR retransmission path.
Critical Impact
A race between the ADD_ADDR retransmission timer and concurrent socket activity can cause inconsistent MPTCP path manager state on systems using Multipath TCP.
Affected Products
- Linux kernel with MPTCP support enabled
- Stable kernel branches receiving the referenced backport commits
- Distributions shipping kernels prior to the patch commits
Discovery Timeline
- 2026-05-28 - CVE-2026-46137 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46137
Vulnerability Analysis
The vulnerability is a kernel race condition [CWE-362] in the MPTCP path manager subsystem. MPTCP uses ADD_ADDR options to advertise additional addresses for subflows, and the kernel retransmits these advertisements through a timer. The mptcp_pm_add_timer() callback executes in softirq context and touches socket-associated state without acquiring the bottom-half socket lock.
When the timer fires concurrently with a process-context operation on the same socket, both contexts can read and modify shared path manager fields. The result is an unsynchronized data race that can corrupt timer or path manager state.
Root Cause
The root cause is missing synchronization between a softirq timer callback and process-context socket access. The original implementation did not call bh_lock_sock() before touching the socket inside mptcp_pm_add_timer(). The fix acquires the lock in softirq context and, when the socket is owned by another context, reschedules the timer to run shortly afterward.
Attack Vector
This is a kernel concurrency defect rather than a directly exploitable remote vector. Triggering the race requires an active MPTCP connection with ADD_ADDR retransmissions occurring while the socket is concurrently accessed. The vulnerability impacts integrity of MPTCP state on affected kernels.
No public proof-of-concept code is referenced in the advisory. The vulnerability mechanism is described directly in the upstream commit messages linked under the references. See the kernel commits, including Kernel Git Commit 6e4710d, for the precise locking change.
Detection Methods for CVE-2026-46137
Indicators of Compromise
- No file-based or network-based indicators of compromise apply to this kernel race condition.
- KCSAN (Kernel Concurrency Sanitizer) reports referencing mptcp_pm_add_timer on instrumented kernels indicate the underlying race.
- Unexpected MPTCP path manager state transitions or kernel warnings in dmesg related to MPTCP timers warrant investigation.
Detection Strategies
- Inventory running kernels and compare their version and patch level against the fix commits listed in the references.
- Use distribution package management tooling to confirm whether the relevant stable kernel update is installed.
- For development and test fleets, run KCSAN-enabled kernels under MPTCP workloads to surface residual races.
Monitoring Recommendations
- Monitor kernel logs for MPTCP-related warnings, soft lockups, or unusual subflow behavior on hosts using Multipath TCP.
- Track kernel package versions across the fleet through configuration management to identify unpatched hosts.
- Alert on kernel panics or oops events that include MPTCP path manager symbols in the backtrace.
How to Mitigate CVE-2026-46137
Immediate Actions Required
- Identify hosts running kernels with MPTCP enabled and confirm whether the fix has been backported.
- Apply the latest stable kernel update from your Linux distribution that includes the referenced commits.
- Reboot affected systems after installing the updated kernel package to load the patched code.
Patch Information
The fix is delivered through upstream stable kernel commits. Relevant references include Kernel Git Commit 013dcdc, Kernel Git Commit 2ad56e4, Kernel Git Commit 5cd6e0a, Kernel Git Commit 6e4710d, and Kernel Git Commit cc3c039. The patch acquires bh_lock_sock() in the timer callback and reschedules the timer when the socket is in use.
Workarounds
- Disable MPTCP on hosts that do not require it by setting net.mptcp.enabled=0 via sysctl until the kernel is patched.
- Avoid enabling MPTCP path manager ADD_ADDR advertisements on hosts that cannot be promptly updated.
- Restrict workloads that rely on MPTCP to patched kernels only.
# Configuration example: disable MPTCP as a temporary workaround
sudo sysctl -w net.mptcp.enabled=0
echo 'net.mptcp.enabled=0' | sudo tee /etc/sysctl.d/99-disable-mptcp.conf
# Verify current kernel version against patched releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
