CVE-2026-53183 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
mptcp: allow subflow rcv wnd to shrink
In MPTCP connection, the `window` field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time.
At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving.
Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability described affects the Linux kernel's implementation of Multipath TCP (MPTCP) protocol, specifically addressing a critical issue in how receive window management operates across subflows. This flaw manifests in the MPTCP connection handling where the window field within TCP headers incorrectly manages the MPTCP-level receive next pointer rcv_nxt, which should maintain a monotonically increasing right edge to prevent backward movement. The MPTCP implementation enforces this constraint during DSS (Data Sequence Signal) option generation, creating a complex interaction between MPTCP-level and TCP-level window management mechanisms that ultimately leads to buffer overflow conditions.
The technical flaw arises from the independent enforcement of window boundary constraints at both MPTCP and TCP protocol layers. While MPTCP ensures its own receive window right edge does not regress through proper validation during DSS option generation, the underlying TCP stack simultaneously maintains its own constraint preventing backward movement of the TCP-level receive window. This dual enforcement creates a scenario where data acknowledged at the TCP level but arriving out-of-order in the MPTCP sequence space gets artificially inflated into the MPTCP receive window calculation. When such out-of-order data lands in the MPTCP backlog, it causes the effective receive window to expand beyond its intended boundaries, allowing incoming traffic to exceed the configured receiver buffer size even when the sender operates correctly within protocol specifications.
This vulnerability directly impacts system stability and resource management by creating conditions where network buffers can be exceeded without legitimate cause, potentially leading to denial of service scenarios or memory exhaustion attacks. The operational impact extends beyond simple buffer overflow as it represents a fundamental misalignment in how MPTCP handles sequence space management versus TCP-level acknowledgment processing. This inconsistency creates an attack surface where malicious actors could potentially exploit the window inflation behavior to consume system resources more rapidly than intended, effectively bypassing normal traffic control mechanisms that should prevent such overflows.
The mitigation strategy involves forcibly allowing TCP subflows to shrink their TCP-level receive window regardless of current network namespace settings, which essentially overrides the default behavior that prevents backward movement of the TCP receive window. This approach addresses the root cause by ensuring that MPTCP can properly control its effective receive window size without interference from the TCP stack's independent enforcement mechanisms. The solution aligns with established security practices for protocol implementation where lower-level protocol constraints must not undermine higher-level protocol integrity, particularly in complex multipath scenarios where multiple subflows interact with shared resource management systems.
This vulnerability demonstrates characteristics consistent with CWE-129 and CWE-787, representing issues in input validation and buffer overflow protection within network protocol implementations. The exploitation pattern aligns with ATT&CK techniques involving privilege escalation through resource exhaustion attacks, where the window management inconsistency creates a vector for consuming system resources beyond normal operational parameters. The fix essentially implements a more precise control mechanism for receive window management that respects both MPTCP's requirements for proper sequence space handling and TCP's need for reliable data delivery while preventing the artificial inflation that leads to buffer overflows in multipath scenarios.