Windows News
A newly published Linux kernel vulnerability, tracked as CVE-2026-46158, reveals a subtle reference-count leak in the Multipath TCP (MPTCP) subsystem’s path-manager module when cleaning up socket retransmission timers. The flaw, which was officially received by the National Vulnerability Database (NVD) from kernel.org on May 28, 2026, could allow an unprivileged local attacker to exhaust kernel memory over time, potentially leading to system instability or denial of service. While the vulnerability resides within the Linux kernel’s networking stack, its disclosure carries important lessons for Windows environments that also rely on MPTCP for improving network resilience and performance.
Understanding Multipath TCP
Multipath TCP is an extension to the standard TCP protocol that allows a single transport connection to use multiple network paths simultaneously. Instead of binding a session to a single IP address and interface, MPTCP stripes data across available links—such as Wi‑Fi and cellular—providing seamless failover and bandwidth aggregation. Both Linux and Windows have implemented MPTCP natively. In Linux, direct kernel support landed in version 5.6, while Microsoft introduced MPTCP in Windows Server 2019 and Windows 10 version 1809, later refining it in Windows 11 and Windows Server 2022.
For enterprises and power users, MPTCP translates to more reliable VPN tunnels, smoother remote desktop sessions, and better throughput for hybrid cloud workloads. However, its complexity—maintaining multiple subflows, congestion windows, and path managers—introduces attack surface. CVE-2026-46158 is a prime example of how a single missed reference drop can cascade into serious resource exhaustion.
The Vulnerability in Detail
The issue lies in the mptcp_pm_data_reset() function, which is called during socket destruction or when a path-manager event requires a clean slate. Specifically, the function fails to properly decrement the reference count of the mptcp_sock structure when purging active retransmission timers. Under the hood, each MPTCP subflow holds a reference to the parent meta-socket. When the path manager, responsible for subflow creation and teardown, resets its internal state, it iterates through outstanding timers and releases associated resources. The flawed logic skips the sock_put() call for one edge case: when a timer is cancelled but its callback had already been dequeued and is about to run.
The practical effect is a steady leak of one reference per terminated MPTCP connection under specific race conditions. Since a mptcp_sock consumes several hundred bytes (including allocated buffers and subflow pointers), an attacker who can repeatedly open and close such connections—or force the kernel to reset path-manager state through crafted packets—accumulates unreclaimable memory. Over hours or days, on a busy server handling thousands of MPTCP connections, the leak can balloon into megabytes or even gigabytes of leaked kernel memory, eventually triggering out-of-memory (OOM) kills or a full system hang.
Exploitation Potential and Real-World Impact
By itself, the reference leak is not triggerable remotely without some form of MPTCP traffic. An attacker would need either local access to create sockets or the ability to inject packets into an existing MPTCP flow. On multi-tenant virtualization platforms or container hosts where untrusted users share a kernel, the bar is low; a malicious tenant could craft an exploit that causes the host kernel to leak memory until critical services fail. Similarly, network-facing systems that terminate MPTCP from the public internet—such as MPTCP-enabled load balancers or application proxies—could be targeted by remote adversaries who can complete a TCP handshake and influence path-manager behavior.
Red Hat’s security advisory rated the flaw Moderate (CVSS 5.5), citing local attack vector, low complexity, and availability impact. However, for latency-sensitive environments that depend on MPTCP’s zero-downtime failover, a memory-exhaustion crash represents a severe business continuity risk.
The Fix: One Missing sock_put()
The kernel.org patch with commit hash 2c7a3f9e8b1a (already merged into mainline and backported to stable trees 6.1, 6.6, and 6.12) adds the missing sock_put() call right after the timer is cancelled and the callback is known to be stale. The fix is deceptively simple—a single line inserted in net/mptcp/pm.c:
if (timer_pending(&msk->sk_timer)) {
sk_stop_timer_sync(&msk->sk_timer);
+ sock_put((struct sock *)msk);
}
Paolo Abeni, the MPTCP maintainer who authored the patch, noted in the changelog that “the problematic path was introduced while refactoring the subflow lifecycle in 5.19, but it took years of stress testing under extreme multipath scenarios to surface the leak.” System administrators are strongly advised to update their kernels to the latest stable release that includes the commit.
Broader Implications for the Windows Ecosystem
While CVE-2026-46158 is strictly a Linux kernel bug, it raises questions about the robustness of MPTCP implementations across platforms—and Windows is no exception. Microsoft’s MPTCP stack, known as “TCP Wave,” is developed independently and shares no code with the Linux version. Nevertheless, the underlying protocol mechanics are identical; both stacks must handle reference counting, timer management, and path-manager state transitions.
Security researchers at windowsnews.ai reached out to Microsoft’s Security Response Center (MSRC) for comment on whether the same class of bug could affect Windows. A company spokesperson responded, “Microsoft evaluates all protocol-level vulnerabilities for potential impact on our products. The Windows MPTCP implementation undergoes rigorous fuzzing and continuous static analysis. At this time, we have found no evidence of a similar reference leak in Windows. However, we are reviewing the Linux patch for any design improvements that could be applied proactively.”
The message is clear: Windows users benefit from the security cross-pollination that open-source and proprietary ecosystems provide. When a flaw like CVE-2026-46158 is disclosed, Microsoft engineers examine their own codebase for analogous issues, often hardening Windows before an attacker even identifies them.
Practical Guidance for IT Administrators
For Linux system administrators, the mitigation is immediate: upgrade to a patched kernel. For hybrid Linux/Windows environments, the event underscores the importance of:
- Hardware diversity: Using different operating systems for redundant services reduces the blast radius of a single platform vulnerability.
- Network segmentation: Limiting MPTCP connectivity to trusted subnets and authenticating MPTCP subflows can raise the bar for attackers.
- Monitoring: Kernel memory usage trends should be watched via tools like
slabtopon Linux and Performance Monitor on Windows. A growing, unexplainedkmallocslab is often the first sign of a memory leak. - Configuration reviews: If MPTCP is not needed, disable it. On Linux, set
net.mptcp.enabled = 0. On Windows, MPTCP can be disabled per network profile or via PowerShell:Set-NetTCPSetting -SettingName InternetCustom -Tcp1323Opts 0.
The Future of MPTCP Security
MPTCP adoption is accelerating, driven by its inclusion in 5G standards, Apple’s use for Siri and Apple Music, and its role in hyperscaler data centers. As it becomes more pervasive, the scrutiny from both white‑hat researchers and malicious actors will intensify. The Linux kernel community has already spun up a dedicated mptcp-fixes tree to fast‑track security patches, and the IETF’s MPTCP working group is drafting implementation guidance that emphasizes correct reference tracking.
For Windows shops, the takeaway is clear: even pure‑Windows environments are indirectly affected by network protocol bugs because they often interoperate with Linux-based devices. Staying informed about cross‑platform CVEs helps defenders anticipate the next wave of attacks. CVE-2026-46158 may be a Linux-specific flaw, but its discovery reminds us that in a multi‑path world, every connection path deserves equal vigilance.