CVE-2026-45631: Linux Kernel MPTCP Race Condition Use-After-Free
TL;DR - High-severity Linux kernel flaw in MPTCP caused by a race-triggered use-after-free. - Confirmed affected versions are Linux kernel releases before 6.14.8. - Upgrade promptly; no confirmed in-the-wild exploitation or verified public PoC is known from available sources.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-45631 |
| CVSS score | 7.8 (High) |
| Attack vector | Local |
| Auth required | Low privileges required |
| Patch status | Fixed upstream in Linux kernel 6.14.8 |
What this Vulnerability Is and Why It Matters
CVE-2026-45631 is a CWE-416 use-after-free vulnerability in the Linux kernel’s Multipath TCP (MPTCP) subsystem. According to NVD, the bug exists in the mptcp_pm_nl_set_flags helper function, where a race condition can leave an entry detached from a list without being re-added. This creates a path for concurrent access to freed memory.
For defenders, the practical takeaway is that this is not a remote network-edge bug. The CVSS vector is AV:L/AC:L/PR:L/UI:N, which means exploitation would require local access with low privileges and no user interaction. This issue is significant in multi-user Linux environments, developer workstations, shared compute nodes, and managed hosting environments where low-privileged shell access is realistic. A kernel use-after-free can lead to crashes, memory corruption, and potential privilege escalation depending on exploit reliability and local hardening.
Exploitation Status: What Is Known and What Is Not
At the time of writing, there is no confirmed evidence of exploitation in the wild from the available sources. Specifically, CVE-2026-45631 is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. That said, defenders should avoid reading “not in KEV” as “safe to ignore.” Kernel race-condition flaws can become more interesting over time if exploit development matures.
Affected Versions and Fixed Versions
The clearest confirmed affected range from the source material is:
- Affected: Linux kernel versions before 6.14.8
- Fixed upstream: Linux kernel 6.14.8
Most enterprise systems do not track the upstream kernel version string directly; they track a vendor-packaged kernel with downstream backports. If you rely on Ubuntu, SUSE, or Red Hat-compatible distributions, use the vendor security tracker and package changelog rather than assuming upstream version comparison alone is sufficient.
Who Should Prioritize This First
Organizations with a high density of Linux endpoints and servers should treat this CVE differently depending on exposure. The highest priority environments are those where untrusted or semi-trusted users can obtain local execution: bastion hosts, shell servers, academic systems, and Kubernetes worker nodes.
Technical Deep Dive
The vulnerability centers on list management under concurrent access in the MPTCP path manager code. Kernel memory-safety bugs can have unpredictable effects on integrity and availability beyond straightforward privilege escalation.
What Defenders Should Do Next
First, identify Linux systems that either run upstream kernels before 6.14.8 or vendor kernel packages that have not yet incorporated the fix. Prioritize systems with local-user exposure, shared access, or less-trusted workloads.
For further information, you can check related resources: - CVE-2026-44717 - Threat Digest - 2026-05-27
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and Exposure Assessment
The most reliable first step is to determine whether your systems are running an affected kernel or a vendor package that has not yet incorporated the fix. Monitor for suspicious local activity paired with kernel crashes, OOPS traces, or unusual MPTCP netlink interactions.
Technical Notes
Check the running kernel and installed packages:
uname -r
cat /proc/version
Mitigation and Patching Guidance
The primary mitigation is to upgrade to a kernel build that includes the fix. The only directly confirmed upstream fixed version is Linux kernel 6.14.8. If you maintain upstream or near-upstream kernels, that gives you a clear floor: systems running earlier than 6.14.8 should be considered affected until updated.
If immediate patching is not possible, a temporary workaround is to disable MPTCP if your workloads do not require it.