eastbaycyber

CVE-2026-45631: Linux Kernel MPTCP Race Condition Use-After-Free

CVE explainers 3 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-29
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - High-severity Linux kernel flaw in MPTCP caused by a race-triggered use-after-free. - Confirmed affected versions are Linux kernel releases before 6.14.8. - Upgrade promptly; no confirmed in-the-wild exploitation or verified public PoC is known from available sources.

Field Value
CVE ID CVE-2026-45631
CVSS score 7.8 (High)
Attack vector Local
Auth required Low privileges required
Patch status Fixed upstream in Linux kernel 6.14.8

What this Vulnerability Is and Why It Matters

CVE-2026-45631 is a CWE-416 use-after-free vulnerability in the Linux kernel’s Multipath TCP (MPTCP) subsystem. According to NVD, the bug exists in the mptcp_pm_nl_set_flags helper function, where a race condition can leave an entry detached from a list without being re-added. This creates a path for concurrent access to freed memory.

For defenders, the practical takeaway is that this is not a remote network-edge bug. The CVSS vector is AV:L/AC:L/PR:L/UI:N, which means exploitation would require local access with low privileges and no user interaction. This issue is significant in multi-user Linux environments, developer workstations, shared compute nodes, and managed hosting environments where low-privileged shell access is realistic. A kernel use-after-free can lead to crashes, memory corruption, and potential privilege escalation depending on exploit reliability and local hardening.

Exploitation Status: What Is Known and What Is Not

At the time of writing, there is no confirmed evidence of exploitation in the wild from the available sources. Specifically, CVE-2026-45631 is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. That said, defenders should avoid reading “not in KEV” as “safe to ignore.” Kernel race-condition flaws can become more interesting over time if exploit development matures.

AnalystImpact · assess the risk

Affected Versions and Fixed Versions

The clearest confirmed affected range from the source material is:

  • Affected: Linux kernel versions before 6.14.8
  • Fixed upstream: Linux kernel 6.14.8

Most enterprise systems do not track the upstream kernel version string directly; they track a vendor-packaged kernel with downstream backports. If you rely on Ubuntu, SUSE, or Red Hat-compatible distributions, use the vendor security tracker and package changelog rather than assuming upstream version comparison alone is sufficient.

Who Should Prioritize This First

Organizations with a high density of Linux endpoints and servers should treat this CVE differently depending on exposure. The highest priority environments are those where untrusted or semi-trusted users can obtain local execution: bastion hosts, shell servers, academic systems, and Kubernetes worker nodes.

Technical Deep Dive

The vulnerability centers on list management under concurrent access in the MPTCP path manager code. Kernel memory-safety bugs can have unpredictable effects on integrity and availability beyond straightforward privilege escalation.

What Defenders Should Do Next

First, identify Linux systems that either run upstream kernels before 6.14.8 or vendor kernel packages that have not yet incorporated the fix. Prioritize systems with local-user exposure, shared access, or less-trusted workloads.

For further information, you can check related resources: - CVE-2026-44717 - Threat Digest - 2026-05-27

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

Detection and Exposure Assessment

The most reliable first step is to determine whether your systems are running an affected kernel or a vendor package that has not yet incorporated the fix. Monitor for suspicious local activity paired with kernel crashes, OOPS traces, or unusual MPTCP netlink interactions.

Technical Notes

Check the running kernel and installed packages:

uname -r
cat /proc/version

Mitigation and Patching Guidance

The primary mitigation is to upgrade to a kernel build that includes the fix. The only directly confirmed upstream fixed version is Linux kernel 6.14.8. If you maintain upstream or near-upstream kernels, that gives you a clear floor: systems running earlier than 6.14.8 should be considered affected until updated.

If immediate patching is not possible, a temporary workaround is to disable MPTCP if your workloads do not require it.

Last verified: 2026-05-29

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.