CRITICAL
mptcp AddTimer Race
CVE-2026-46137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.
02KernelScan AI Analysis
Risk summary
A race condition in the MPTCP path manager timer callback could lead to memory corruption and system instability. The vulnerability affects systems with MPTCP enabled where unprivileged users can establish MPTCP connections. Exploitation requires precise timing but could result in kernel panic or data corruption.
Vulnerability analysis
The mptcp_pm_add_timer() function executes in softirq context as a timer callback but accesses socket data structures without proper locking. This creates a race condition where concurrent access from process context could corrupt MPTCP path manager state or socket structures. The fix adds bh_lock_sock() protection around the critical section and implements retry logic when the socket is busy, similar to the keepalive timer pattern. The attack surface includes any system where users can create MPTCP sockets, which typically requires no special privileges beyond normal network access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.91 | 6e4710d7d878 |
| 6.18 | 6.18.30 | 2ad56e434199 |
| 6.6 | 6.6.141 | 013dcdc19615 |
| 7.0 | 7.0.7 | cc3c0399361e |
| mainline | 7.1-rc3 | 5cd6e0ad79d2 |