Bug 2482639 (CVE-2026-46158)

Summary: CVE-2026-46158 kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Multipath TCP (MPTCP) implementation. When an ADD_ADDR message is retransmitted, a socket reference count may not be properly decreased, leading to a potential resource leak. Over time, this resource exhaustion could allow a remote attacker to cause a Denial of Service (DoS) by consuming system resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-28 11:07:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: ADD_ADDR rtx: always decrease sk refcount

When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().
It should then be released in all cases at the end.

Some (unlikely) checks were returning directly instead of calling
sock_put() to decrease the refcount. Jump to a new 'exit' label to call
__sock_put() (which will become sock_put() in the next commit) to fix
this potential leak.

While at it, drop the '!msk' check which cannot happen because it is
never reset, and explicitly mark the remaining one as "unlikely".
Comment 1 Keith Grant 2026-05-28 15:50:26 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052824-CVE-2026-46158-af10@gregkh/T