Listen to this Post
CVE-2026-46158 is a subtle reference‑counting vulnerability in the Linux kernel’s Multipath TCP (MPTCP) implementation. The flaw resides in the path‑manager’s ADD_ADDR retransmission logic, specifically within the timer callback that handles retransmission of address advertisements.
When an ADD_ADDR message needs to be retransmitted, the kernel acquires a reference to the associated socket (struct sock) by holding it in sk_reset_timer(). This reference count increment ensures that the socket remains allocated while the timer is active, preventing premature freeing and potential use‑after‑free conditions. The problem arises because the code path that should release this reference does not always execute.
Under normal circumstances, after the timer operation completes or an error occurs, the function would call `sock_put()` to decrement the reference count and allow the socket to be freed if the count reaches zero. However, two (unlikely) early return checks were placed before this release logic. If those conditions were met, the function would return directly, skipping the call to `sock_put()` and leaving the reference count permanently elevated. This creates a resource leak: each such occurrence pins a socket object in memory, preventing its destruction.
The vulnerable code also contained a check for a NULL `msk` pointer that could never be true under any valid kernel state, as confirmed by the maintainers. This check was therefore removed as part of the patch to simplify the logic. The remaining legitimate condition, which verifies that the socket is not in the TCP_CLOSE state, was explicitly annotated with the `unlikely()` macro to indicate its rare nature.
In practice, an attacker capable of triggering ADD_ADDR retransmissions on an MPTCP‑enabled system can force the kernel to repeatedly hit these early‑return paths. Over time, the accumulation of leaked socket references consumes kernel memory. Since sockets are long‑lived objects with associated metadata, the leak can grow without bound, potentially exhausting system memory and causing a denial‑of‑service (DoS) condition. The vulnerability is not directly exploitable for privilege escalation or arbitrary code execution on its own, but its memory exhaustion effect can destabilize the system.
The issue was introduced in kernel version 5.10 with commit `00cfd77b9063dcdf3628a7087faba60de85a9cc8` and fixed in versions 6.18.30, 7.0.7, and 7.1‑rc3 via commits acd3d3562315, 25e37407442b, and `9634cb35af17` respectively. The patch replaces the direct returns with a jump to a new `exit` label that unconditionally calls __sock_put(), ensuring the reference is always released regardless of which branch is taken.
DailyCVE Form:
Platform: Linux Kernel
Version: 5.10 to 6.18.29/7.0.6/7.1-rc2
Vulnerability : Refcount leak in sk_reset_timer()
Severity: Medium (CVSS 7.0)
date: 2026-05-28
Prediction: 2026-06-15
What Undercode Say:
The vulnerability manifests as a slow, indefinite memory leak that can be detected by monitoring kernel slab memory usage, specifically sockets and MPTCP‑related objects. System administrators can use the following commands to observe the leak in real‑time:
Monitor live kernel memory usage for socket caches watch -n 2 'grep -e "sock" -e "mptcp" /proc/slabinfo' Sample MPTCP related slab caches every 10 seconds while true; do date >> mptcp_leak.log grep -E "sock|mptcp" /proc/slabinfo >> mptcp_leak.log sleep 10 done Track total kernel memory consumption over time while true; do echo -n "$(date +%s) " >> kernel_mem.log cat /proc/meminfo | grep -E "^Slab|^SUnreclaim|^KernelStack" | tr '\n' ' ' >> kernel_mem.log echo "" >> kernel_mem.log sleep 60 done Count the number of active MPTCP sockets (if ss supports MPTCP) ss -M -t -a | wc -l View the current reference count and allocation state of a specific socket (requires kernel debugging support) cat /sys/kernel/debug/tracing/trace | grep mptcp_pm_add_timer
Exploit:
Triggering the vulnerability requires the ability to force MPTCP ADD_ADDR retransmissions. This can be achieved from a local low‑privileged user or a remote attacker capable of sending crafted MPTCP packets. The exploit relies on repeatedly causing the `mptcp_pm_add_timer()` callback to hit the early return condition where the socket is in TCP_CLOSE state. Each such occurrence leaks one socket reference. Over thousands of iterations, the leak accumulates, exhausting kernel memory. Proof‑of‑concept code can be built using tools like `scapy` with MPTCP extensions or by abusing legitimate MPTCP connections with forced peer address withdrawals. However, as of the publication date, no public exploit has been released for this CVE.
Protection:
The primary protection is to update the Linux kernel to a fixed version: 6.18.30, 7.0.7, 7.1‑rc3, or any later release that includes the backported fix. If updating is not immediately possible, system administrators can mitigate the risk by disabling MPTCP entirely using the following sysctl command:
sysctl -w net.mptcp.enabled=0
To make this persistent across reboots, add the line `net.mptcp.enabled=0` to /etc/sysctl.conf. Additionally, monitoring kernel memory usage and restarting the system when consumption becomes abnormal can reduce the impact of the leak in production environments.
Impact:
The vulnerability leads to a kernel memory leak that can, over time, cause system instability, application crashes, and ultimately a denial‑of‑service condition. If repeatedly exploited, the system may hang or become unresponsive due to memory exhaustion. The CVSS base score is 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a moderate‑to‑high risk with a requirement for local access and high attack complexity. Red Hat rates this issue as “moderate severity”. No known privilege escalation or remote code execution vectors are associated with this leak.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
