External risk intelligence

Linux Kernel MPTCP Data Race Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46137

This vulnerability affects the Linux kernel's internal MPTCP (Multipath TCP) implementation. It is a low-level kernel code issue involving timer callbacks and socket locking mechanisms. It is not an internet-facing service, application, or gateway, and lacks a mechanism for direct remote exploitation, making public-internet-facing exposure highly improbable in standard deployments.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A recent analysis of the Linux kernel identified a potential data race condition within its Multipath TCP (MPTCP) functionality that has since been resolved. This type of issue could, in some circumstances, lead to unpredictable system behavior or data corruption. The main concern is confirming relevance and exposure.

Fixes internal Linux kernel data race.
Leaders should remember it impacts core network code.
Confirm if this specific kernel feature is in use.

Attack Path

How an attacker could exploit the issue

An attacker could potentially trigger a data race within the Linux kernel's Multipath TCP (MPTCP) component by exploiting a flaw in how timers are handled. This could lead to system instability or compromise if a race condition occurs during address addition operations.

No specific entry conditions are provided.
Timer callback in softirq context.
Potential data race.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect the integrity of data processed by the Linux kernel's Multipath TCP (MPT CP) feature when specific timer-related operations occur under race conditions. The issue arises from a potential data race in the `mptcp_pm_add_timer()` function, which is executed in a softirq context, potentially leading to service disruption or data corruption if not properly handled by locking mechanisms.

Kernel data integrity.
Data race in timer callback.
Uncontrolled service behavior.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the `mptcp_pm_add_timer()` function. As a low-level kernel component, its ownership typically falls to teams responsible for the operating system kernel or the platform itself. The first practical step is to identify all systems running the affected kernel version, determine if MPTCP is actively used, and assess the business criticality of those systems before planning remediation.

Kernel or platform teams own this issue.
Verify MPTCP usage and system criticality.
Plan remediation based on identified risks.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is MPTCP in the Linux kernel?

MPTCP, or Multipath TCP, is a Linux kernel feature that allows a device to establish multiple network paths simultaneously for a single data connection. This improves efficiency and reliability by aggregating bandwidth or seamlessly switching between interfaces, such as moving from Wi-Fi to cellular. It operates deep within the network stack to manage how data packets are routed.

What does a data race vulnerability mean for CVE-2026-46137?

A data race occurs when multiple parts of the system try to access or change the same memory at the same time without proper coordination. In this case, a flaw in how the kernel handles timer callbacks for MPTCP address additions can cause these conflicts. If left unmanaged, this race condition can lead to unpredictable system behavior, such as data corruption or crashes, because the kernel cannot ensure the integrity of the information being processed.

How is this MPTCP data race triggered?

This issue is triggered when the kernel's MPTCP timer callback function runs in a specific background state known as softirq context. The race condition arises if this callback executes while another process is accessing the same socket, and the system lacks the necessary locking mechanism to prevent simultaneous access. It is not triggered by standard network traffic alone, but rather by internal timing interactions during address management.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that this vulnerability affects low-level kernel code rather than an internet-facing application or service. Because it involves complex internal timer and socket locking mechanisms within the kernel, direct remote exploitation from the public internet is considered very unlikely. Most systems are not directly exposed to this risk in standard configurations.

What is the first step to address this Linux kernel issue?

You should start by identifying which systems in your environment are running the affected Linux kernel version. Once identified, verify if the MPTCP feature is actually enabled or in active use on those machines. Since this is a low-level kernel component, coordinate with your platform or operating system administration teams to review the available patches and prioritize updates based on the criticality of the systems using MPTCP.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.