How is CVE-2026-46137 exploited?

Network reachability (required): The vulnerable code path is reachable over the network, meaning an attacker must be able to send traffic to the affected host to trigger the race condition in the MPTCP timer handler. Authentication (not-required): No authentication is needed; the attack can be initiated by any unauthenticated network peer. Victim interaction (not-required): No user or administrator action is required to trigger exploitation; the vulnerability fires through the kernel's own timer subsystem. Attack complexity (info): Attack complexity is low, meaning the exploit does not depend on race windows, special memory layouts, or environmental preconditions beyond network access.

What is the impact of CVE-2026-46137?

An attacker can read kernel memory contents, exposing in-flight network data, session tokens, or other sensitive process information held in kernel buffers. An attacker can corrupt kernel memory structures via the unsynchronized timer callback, enabling arbitrary write primitives within the affected kernel context. The race condition can be used to crash the kernel entirely, taking down all workloads on the host and causing a full service outage. Container workloads sharing the host kernel are all affected; a successful exploit against the kernel is not bounded by container isolation boundaries.

Back to search

CRITICALCVE-2026-46137Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46137: mptcp: pm: ADD_ADDR rtx: fix potential data-race

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A data race vulnerability exists in the Linux kernel's Multipath TCP (MPTCP) path manager, specifically in the ADD_ADDR retransmission timer handler. The flaw is reachable over the network without any authentication or user interaction, as derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full read, write, and availability impact on the affected system, including the ability to disclose sensitive data, tamper with memory, or crash the kernel. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46137 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel feeds and matched against customer images within minutes of publication, covering both base OS images and custom-built images that include an affected kernel version. Any image in a customer registry or CI/CD pipeline that carries a vulnerable Linux kernel build is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it with that severity weighting inside each customer environment's compliance policy engine. Triage findings are routed to the appropriate team inbox based on per-organization policy configuration, ensuring the right owners are notified without manual filtering.

Available

Patch

A patched-image rebuild at the confirmed fix versions (including kernel 6.6.141 and the identified upstream commits) is available on HarborGuard for any environment running an affected kernel. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network, meaning an attacker must be able to send traffic to the affected host to trigger the race condition in the MPTCP timer handler.
AuthenticationNot required
No authentication is needed; the attack can be initiated by any unauthenticated network peer.
Victim interactionNot required
No user or administrator action is required to trigger exploitation; the vulnerability fires through the kernel's own timer subsystem.
Attack complexityDetail
Attack complexity is low, meaning the exploit does not depend on race windows, special memory layouts, or environmental preconditions beyond network access.

Blast Radius

An attacker can read kernel memory contents, exposing in-flight network data, session tokens, or other sensitive process information held in kernel buffers.
An attacker can corrupt kernel memory structures via the unsynchronized timer callback, enabling arbitrary write primitives within the affected kernel context.
The race condition can be used to crash the kernel entirely, taking down all workloads on the host and causing a full service outage.
Container workloads sharing the host kernel are all affected; a successful exploit against the kernel is not bounded by container isolation boundaries.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched-image rebuilds for CVE-2026-46137 are all available as platform capabilities. For environments running an affected Linux kernel version, a rebuilt image pinned to kernel 6.6.141 or the upstream-patched commits is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a PR against affected workloads; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding in the triage queue with full CVSS context so teams can act manually. Until a patched image is deployed, network policy controls that restrict unexpected inbound MPTCP traffic to exposed hosts can reduce the reachable attack surface as a compensating measure.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

Fix available

0013dcdc1961543b9a3433466bc8c79a2f4ca75b52ad56e434199ca24a812bb353667aa1c3860f5135cd6e0ad79d2615264f63929f8b457ad97ae550d6.6.1416.12.916.18.306e4710d7d8782cb61af29a7e7111ddfc38b9e1a37.0.77.1-rc3cc3c0399361efaaf7ae64262eb3f70829b1189c6

Affected packages

Linux / Linux
< 013dcdc1961543b9a3433466bc8c79a2f4ca75b5 (from 00cfd77b9063dcdf3628a7087faba60de85a9cc8) · < 6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3 (from 00cfd77b9063dcdf3628a7087faba60de85a9cc8) · < 2ad56e434199ca24a812bb353667aa1c3860f513 (from 00cfd77b9063dcdf3628a7087faba60de85a9cc8) · < cc3c0399361efaaf7ae64262eb3f70829b1189c6 (from 00cfd77b9063dcdf3628a7087faba60de85a9cc8) · < 5cd6e0ad79d2615264f63929f8b457ad97ae550d (from 00cfd77b9063dcdf3628a7087faba60de85a9cc8)
Linux / Linux
5.10
Fixed in 0, 6.6.141, 6.12.91, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available