HIGH
mptcp AddAddr Deadlock
CVE-2026-46170
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: free sk if last When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put(). But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on "itself".
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a repeatedly triggerable kernel memory leak in the MPTCP ADD_ADDR retransmission timer by acting as an MPTCP peer and causing ADD_ADDR retransmissions, eventually exhausting kernel memory and causing system-wide denial of service (OOM/kernel panic).
Vulnerability analysis
The vulnerability occurs in MPTCP's ADD_ADDR retransmission timer handling where improper socket reference counting prevents socket structures from being freed. When the timer handler fires and holds the last reference to a socket, the original code uses __sock_put(), which decrements the reference count without invoking sk_free(). This leaks the socket structure. A remote MPTCP peer can trigger repeated ADD_ADDR retransmissions (e.g., by withholding ADD_ADDR echo responses) to exhaust kernel memory and cause a denial of service. The fix replaces __sock_put() with sock_put() to ensure proper deallocation, and adds a timer_done flag to prevent a timer synchronization deadlock that would otherwise occur when sk_free() attempts to stop the running timer from within its own handler.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.92 | 531c537b8fb6 |
| 6.18 | 6.18.30 | b74ad2019865 |
| 6.6 | 6.6.142 | 6a3af482188f |
| 7.0 | 7.0.7 | 8143a224785c |
| mainline | 7.1-rc3 | b7b9a4615697 |