CVE-2026-46158 Overview
CVE-2026-46158 is a socket reference count leak in the Linux kernel's Multipath TCP (MPTCP) path manager. The flaw resides in the ADD_ADDR retransmission logic, where the socket is held via sk_reset_timer() but not consistently released on all return paths. Specific unlikely condition checks returned early without calling sock_put(), leaving the socket reference count incremented. Over time, repeated triggering of these paths can prevent socket structures from being freed, resulting in resource exhaustion in the kernel networking stack.
Critical Impact
Repeated ADD_ADDR retransmissions on affected systems can leak kernel socket references, leading to memory pressure and potential denial-of-service conditions on hosts using MPTCP.
Affected Products
- Linux kernel versions containing the MPTCP path manager ADD_ADDR retransmission logic prior to the referenced fix commits
- Distributions shipping affected stable kernel branches
- Systems with MPTCP enabled in production networking workloads
Discovery Timeline
- 2026-05-28 - CVE CVE-2026-46158 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46158
Vulnerability Analysis
Multipath TCP (MPTCP) extends standard TCP to allow simultaneous use of multiple network paths between endpoints. The ADD_ADDR option advertises additional addresses to the peer. When the kernel does not receive an acknowledgment, it retransmits the option using a timer.
The kernel calls sk_reset_timer() to schedule the retransmission, which increases the socket reference count to keep the sock structure alive until the timer fires. The timer callback is then expected to release the reference via sock_put() once handling completes.
In the affected code, certain unlikely sanity checks inside the callback returned directly without calling sock_put(). Each occurrence of these paths leaked one reference on the parent socket. The patch introduces a single exit label so all return paths invoke __sock_put(), ensuring the reference is released regardless of which check fails.
Root Cause
The root cause is an inconsistent cleanup pattern in the MPTCP path manager's ADD_ADDR retransmission handler. The handler acquired a socket reference through sk_reset_timer() but contained early-return branches that bypassed the corresponding sock_put(). This is a classic missing-release bug categorized as a memory or reference leak. The patch also removes a redundant !msk check that cannot occur because msk is never reset, and marks the remaining condition as unlikely.
Attack Vector
The leak triggers only when the unlikely conditions in the retransmission callback are reached. A local or remote peer that causes repeated MPTCP ADD_ADDR retransmissions against a vulnerable host can gradually accumulate leaked socket references. Sustained triggering may exhaust kernel memory tied to socket structures and degrade networking subsystem stability. Exploitability depends on whether the unlikely conditions can be induced reliably by an attacker-controlled peer.
No verified proof-of-concept code is available. Refer to the upstream commits for technical details on the corrected control flow:
Detection Methods for CVE-2026-46158
Indicators of Compromise
- Growing kernel SOCK slab allocations in /proc/slabinfo on hosts with MPTCP enabled and no corresponding increase in active sockets.
- Sustained increases in MPTcpExtAddAddrTx and MPTcpExtAddAddrTxDrop counters in /proc/net/netstat indicating heavy ADD_ADDR retransmission activity.
- Kernel memory pressure events or OOM kills on long-running systems that handle MPTCP connections.
Detection Strategies
- Compare kernel package versions against vendor advisories for the stable branches that received the three referenced commits.
- Audit running kernels with uname -r and correlate against your distribution's CVE tracker entry for CVE-2026-46158.
- Instrument the MPTCP subsystem with bpftrace or perf probes on mptcp_pm_add_addr_send_ack and timer callbacks to detect refcount imbalance.
Monitoring Recommendations
- Track slabtop output for TCPv6, TCP, and MPTCP-related slabs on hosts that terminate MPTCP traffic.
- Alert on anomalous growth of MPTCP nstat counters tied to ADD_ADDR retransmissions over short intervals.
- Forward kernel logs and host telemetry to a centralized analytics platform to correlate networking subsystem anomalies across the fleet.
How to Mitigate CVE-2026-46158
Immediate Actions Required
- Inventory all Linux hosts with MPTCP enabled by checking net.mptcp.enabled via sysctl.
- Apply the latest stable kernel update from your distribution that includes the three upstream commits referenced in the advisory.
- Reboot patched systems and validate kernel version with uname -r after deployment.
Patch Information
The fix is upstreamed across three commits that consolidate cleanup into a single exit path invoking __sock_put() and prune the unreachable !msk check. Distribution kernels should pull the fix into the corresponding stable branches. Reference commits: 25e37407442b, 9634cb35af17, and acd3d3562315 on git.kernel.org.
Workarounds
- Disable MPTCP on hosts that do not require it by setting net.mptcp.enabled=0 via sysctl until kernels can be patched.
- Restrict MPTCP peers to trusted networks using firewall rules to reduce the chance of induced ADD_ADDR retransmission storms.
- Schedule periodic restarts of MPTCP-heavy services on unpatched hosts to reclaim leaked socket references.
# Configuration example
# Disable MPTCP system-wide until the kernel patch is applied
sudo sysctl -w net.mptcp.enabled=0
echo 'net.mptcp.enabled=0' | sudo tee /etc/sysctl.d/99-disable-mptcp.conf
# Verify kernel build includes the fix commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
