CVE-2026-46137
CRITICAL
Published May 28, 2026
Modified May 30, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.
CVSS v3.1 Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS — Exploit Prediction
0.0050
Probability of exploitation
0.39%
Percentile rank
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
References
Other References
https://git.kernel.org/stable/c/013dcdc1961543b9a3433466bc8c79a2f4ca75b5
https://git.kernel.org/stable/c/2ad56e434199ca24a812bb353667aa1c3860f513
https://git.kernel.org/stable/c/5cd6e0ad79d2615264f63929f8b457ad97ae550d
https://git.kernel.org/stable/c/6e4710d7d8782cb61af29a7e7111ddfc38b9e1a3
https://git.kernel.org/stable/c/cc3c0399361efaaf7ae64262eb3f70829b1189c6
Frequently Asked Questions
What is CVE-2026-46137? +
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: ADD_ADDR rtx: fix potential data-race
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer. It has a CVSS v3.1 base score of 9.8 (CRITICAL).
How severe is CVE-2026-46137? +
CVE-2026-46137 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0050, placing it in the 0th percentile for exploitation probability.
How do I check if I'm vulnerable to CVE-2026-46137? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.