CVE-2026-53183
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
In the Linux kernel's MPTCP implementation, a vulnerability was found where the TCP receive window is artificially inflated. When data is acknowledged at the TCP level but is out-of-order in the MPTCP sequence space, the receive window cannot shrink, causing the receive buffer to be exceeded. The patch allows the TCP subflow to shrink the receive window regardless of network settings.
Risk Assessment
The organization is at risk of receive buffer overflow, leading to packet drops and performance degradation of MPTCP connections, even when the sender behaves correctly.
Recommendation
Immediately update the Linux kernel to a version containing the fix for CVE-2026-53183. After the update, monitor receive buffer usage in MPTCP connections.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In MPTCP connection, the `window` field in the TCP header refers to the MPTCP-level rcv_nxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation time. At the same time, the TCP stack ensures independently that the TCP-level rcv wnd right's edge does not move backward. That in turn causes artificial inflating of the MPTCP rcv window when the incoming data is acked at the TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). As a consequence, the incoming traffic can exceed the receiver rcvbuf size even when the sender is not misbehaving. Prevent such scenario forcibly allowing the TCP subflow to shrink the TCP-level rcv wnd regardless of the current netns setting.

