A newly published Linux kernel vulnerability, tracked as CVE-2026-43029, exposes a denial-of-service vector that can paralyze systems through an infinite spin in Multipath TCP (MPTCP) receive handling. The flaw, disclosed by the National Vulnerability Database (NVD) on May 1, 2026, arises when an application calls recv() with the MSG_PEEK and MSG_WAITALL flags on an MPTCP socket. Under these conditions, the kernel can enter a tight loop, consuming 100% of a CPU core and triggering a soft lockup. This can render the affected machine unresponsive, affecting any workload relying on MPTCP connectivity.

The bug cuts to the core of MPTCP’s design. MPTCP, standardized in RFC 8684, allows a single TCP connection to multiplex data across multiple subflows (e.g., Wi-Fi and cellular simultaneously). It has gained traction in smartphones, servers, and edge devices seeking resilience and bandwidth aggregation. The vulnerability specifically hinges on how the kernel handles the intersection of two socket API flags that are rarely used together but perfectly valid.

MSG_PEEK instructs the kernel to copy data to the user buffer without removing it from the socket queue. MSG_WAITALL tells the kernel to block until the entire requested amount of data is available. In a standard TCP socket, the combination works: the kernel peeks at enough data to satisfy the request or continues waiting. In MPTCP, however, the receive path must coordinate between the master socket and one or more subflow sockets. The patch introduced to handle this flag combination contained a flawed continuation check that fails to account for the subflow-level window updates, leading to an unbounded loop while waiting for data that may never arrive from the expected subflow.

A soft lockup is the kernel’s way of screaming for help. When a CPU spins for more than 20 seconds (configurable via watchdog_thresh) without scheduling, the kernel’s watchdog fires, logging a warning. While the system may not crash entirely, the spinning CPU becomes unavailable for other tasks. If all CPUs are similarly stuck, the system effectively halts. In multi-core servers, a single spinning core degrades performance, but repeated triggers could cause a cascading failure.

The practical impact depends on the attack surface. To trigger CVE-2026-43029, an attacker needs the ability to open MPTCP connections and call recv() with the offending flags—meaning local code execution is typically required. However, certain networked services using MPTCP could expose the bug if they rely on blocking reads with PEEK. In containerized environments, a malicious workload within a pod could exploit the vulnerability to DoS the node. Linux distributions that enable CONFIG_MPTCP (now on by default in Ubuntu, Fedora, and Android) are vulnerable unless patched.

Fix commits appeared in the Linux kernel mainline shortly before the CVE was published, backporting to stable series 6.1.y and later. The correction adjusts the receive buffer evaluation so that the peek+waitall operation correctly yields when no progress can be made, preventing the spin. System administrators should update their kernels immediately. For those unable to reboot, a temporary workaround is to disable MPTCP by blacklisting the mptcp kernel module (modprobe -r mptcp) or setting the sysctl net.mptcp.enabled=0, though this breaks any MPTCP-dependant services.

For the Windows community, this Linux vulnerability offers a cautionary tale. Microsoft has implemented MPTCP in Windows 10 version 1709 and Windows Server 2019 as an experimental feature, later moving to full support in newer builds. The Windows TCP/IP stack uses a different architecture for MPTCP receive processing, leveraging the Winsock Kernel (WSK) framework. While no equivalent vulnerability has been reported, the lessons—careful handling of flag combinations and rigorous testing of blocking socket calls—apply universally. As MPTCP adoption grows in edge computing and 5G networks, cross-platform security scrutiny becomes essential.

The saga of CVE-2026-43029 underscores the complexity of modern network protocols. Every new feature in the Linux kernel brings not just performance gains but also subtle attack surfaces. The combination of MSG_PEEK and MSG_WAITALL might seem esoteric, yet it’s precisely these edge cases that fuzzing and static analysis tools are designed to catch. The rapid fix and disclosure timeline (the NVD entry followed quickly after the kernel patch) indicate a maturing vulnerability coordination process within the open-source ecosystem.

Looking ahead, organizations relying on MPTCP should audit their application code for similar flag usage and ensure their kernel update cadence is strict. Developers maintaining user-space libraries should add regression tests for non-typical socket operations. For the broader industry, this CVE is a reminder that protocol stacks are never truly “done”; each extension, from TCP Fast Open to QUIC, demands continuous vigilance.