In the Linux kernel, the following vulnerability has been resolved:
mptcp: do not account for OoO in mptcprcvbufgrow()
MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops.
Accounting for them in mptcprcvbufgrow() causes the rcvbuf slowly drifting towards tcp_rmem[2].
Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated.
This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45889.json",
"cna_assigner": "Linux"
}