CVE-2026-53183 Overview
CVE-2026-53183 is a Linux kernel vulnerability in the Multipath TCP (MPTCP) implementation. The flaw stems from inconsistent receive window handling between the MPTCP layer and the underlying TCP subflows. Incoming data acknowledged at the TCP level but queued out-of-order in the MPTCP sequence space can artificially inflate the MPTCP receive window. As a result, incoming traffic can exceed the receiver's rcvbuf size even when the sender behaves correctly. The Linux kernel maintainers resolved the issue by allowing the TCP subflow to shrink the TCP-level receive window regardless of the current network namespace setting.
Critical Impact
A remote peer can cause the kernel receive buffer to be exceeded on MPTCP connections, leading to resource exhaustion conditions on affected Linux systems.
Affected Products
- Linux kernel versions implementing MPTCP subflow receive window handling
- Distributions shipping kernels prior to the referenced stable fixes
- Systems with MPTCP enabled at runtime
Discovery Timeline
- 2026-06-25 - CVE-2026-53183 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53183
Vulnerability Analysis
The vulnerability resides in the MPTCP subsystem of the Linux kernel, specifically in receive window accounting across the MPTCP and TCP layers. In an MPTCP connection, the window field in the TCP header represents the MPTCP-level rcv_nxt, and its right edge must not move backward. This constraint is enforced at Data Sequence Signal (DSS) option generation time.
The TCP stack independently enforces a separate constraint: the TCP-level receive window right edge also cannot retreat. When data arrives that is acknowledged at the TCP level but is out-of-order in the MPTCP sequence space, or lands in the MPTCP backlog, the two independent constraints conflict. The MPTCP receive window becomes artificially inflated relative to the actual available buffer space.
Root Cause
The root cause is a layering mismatch between TCP subflow window management and MPTCP-level sequence accounting. Because the TCP subflow refuses to shrink its advertised window, the announced MPTCP receive window can grow beyond the bytes the receiver can actually accommodate in rcvbuf. Out-of-order MPTCP data and backlog-queued segments are counted as acknowledged at the TCP layer but not yet delivered at the MPTCP layer.
Attack Vector
A remote peer communicating over an MPTCP connection can drive the receiver into a state where buffered data exceeds rcvbuf limits. The condition does not require a misbehaving sender. Normal MPTCP traffic patterns that introduce out-of-order delivery across subflows are sufficient to trigger the imbalance. The exploitation surface is limited to systems with MPTCP active. Refer to the linked kernel commits for the precise code paths corrected by the fix.
No public proof-of-concept exploitation code is available. The vulnerability is described in prose because no verified exploit code has been published.
Detection Methods for CVE-2026-53183
Indicators of Compromise
- Unexpected growth of socket receive memory accounting beyond configured rcvbuf on MPTCP sockets
- Kernel warnings or SNMP counter anomalies related to MPTCP receive queue behavior
- Elevated memory pressure on hosts terminating many MPTCP connections from untrusted networks
Detection Strategies
- Inventory kernel versions across Linux fleets and flag hosts running kernels predating the fixes referenced in the Linux Kernel Commit c297a4e6 and related stable backports
- Audit whether MPTCP is enabled by checking net.mptcp.enabled sysctl and identifying listening services that negotiate MPTCP
- Correlate kernel dmesg output with socket buffer accounting metrics exported via ss -m or /proc/net/sockstat
Monitoring Recommendations
- Track per-socket rmem_alloc versus rcvbuf ratios for MPTCP endpoints
- Alert on sustained memory pressure on network-facing hosts that terminate MPTCP traffic
- Centralize kernel logs and MPTCP MIB counters into a SIEM or data lake for longitudinal analysis
How to Mitigate CVE-2026-53183
Immediate Actions Required
- Apply the upstream stable kernel updates that incorporate the MPTCP subflow receive window fix
- If patching is not immediately feasible, evaluate disabling MPTCP on hosts that do not require it by setting net.mptcp.enabled=0
- Restrict exposure of MPTCP-capable services to untrusted networks until the patch is deployed
Patch Information
The fix is committed to the Linux stable tree across multiple branches. Relevant commits include Linux Kernel Commit 6532452, Linux Kernel Commit aa3861f4, Linux Kernel Commit b1fd1307, Linux Kernel Commit bf364b0f, Linux Kernel Commit c297a4e6, and Linux Kernel Commit da23be77. The patch allows the TCP subflow to shrink the TCP-level receive window regardless of the current netns setting.
Workarounds
- Disable MPTCP system-wide via sysctl -w net.mptcp.enabled=0 where the feature is not required
- Limit MPTCP usage to trusted internal networks through firewall policy
- Constrain socket buffer sizes for services that must accept MPTCP from untrusted peers to reduce blast radius
# Configuration example
# Disable MPTCP at runtime
sysctl -w net.mptcp.enabled=0
# Persist across reboots
echo 'net.mptcp.enabled = 0' > /etc/sysctl.d/99-disable-mptcp.conf
# Verify current kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

