ACK: [SRU][Q][PATCH 0/1] CVE-2026-46137

Jian Hui Lee jianhui.lee at canonical.com
Tue Jul 7 03:29:44 UTC 2026


Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>

On Wed, Jun 24, 2026 at 4:42 PM Cengiz Can via kernel-team
<kernel-team at lists.ubuntu.com> wrote:
>
> https://ubuntu.com/security/CVE-2026-46137
>
> [ Impact ]
>
> The mptcp_pm_add_timer() helper runs as a timer callback in softirq context but
> did not hold the socket lock, leaving it open to a data race. Concurrent access
> to the socket state from the timer callback and other paths could corrupt MPTCP
> path manager state handling the ADD_ADDR retransmission. Given the network-
> reachable nature of MPTCP, this race could be triggered remotely and lead to
> memory corruption or denial of service.
>
> [ Fix ]
>
> questing: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix would affect the MPTCP path manager subsystem,
> specifically ADD_ADDR retransmission timer handling. Incorrect locking with
> bh_lock_sock() could introduce deadlocks or fail to reschedule the timer when
> the socket is in use, disrupting MPTCP address advertisement.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list