CVE Catalog

CVE-2026-45889

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile - higher than 5% of all known CVEs

Summary

In the Linux kernel, accounting for out-of-order (OoO) packets at the MPTCP level in mptcp_rcvbuf_grow() has been removed. MPTCP-level OoO is physiological when multiple subflows are active and does not cause retransmissions or drops. This accounting caused the receive buffer to drift towards tcp_rmem[2]. The fix also closes a subtle race condition with rcvspace init that could lead to a divide-by-zero Oops.

Risk Assessment

The risk for organizations is potential receive buffer inflation in MPTCP, leading to performance degradation of multipath connections. In extreme cases, before the patch, a divide-by-zero kernel Oops could occur, potentially causing system crashes.

Recommendation

Immediately update the Linux kernel to a version containing this fix. Monitor distributions for the CVE-2026-45889 patch and apply it to production systems using MPTCP.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS