A critical vulnerability in the Linux kernel's MultiPath TCP (MPTCP) implementation could allow network-based attackers to crash systems by sending specially crafted packets that balloon receive window sizes beyond safe limits. Tracked as CVE-2026-53183, the flaw stems from improper accounting in the MPTCP subsystem's receive buffer management. The National Vulnerability Database published the disclosure on June 25, 2026, after the kernel maintainers released a fix via the stable kernel tree.

The bug, reported directly to the kernel security team, lies deep in how MPTCP tracks memory allocations for incoming data streams. By manipulating the TCP window scaling parameters, an unauthenticated remote attacker can force the kernel to inflate its internal window accounting structure, ultimately leading to memory corruption or an out-of-bounds condition. Systems running any kernel version from 5.6 to the latest pre-patch builds with MPTCP enabled are at risk. While exploitation does not grant code execution, it delivers a reliable, often one-shot, denial of service (DoS) condition, bringing affected servers, routers, and cloud instances to a grinding halt.

What is MPTCP and Why It Matters Now

MultiPath TCP, standardized in RFC 6824, upends the traditional single-path networking model. Instead of a single TCP connection binding to one network interface, MPTCP stripes traffic across multiple paths simultaneously. A smartphone might combine Wi-Fi and cellular data; a data center server can aggregate multiple NICs for higher throughput and seamless failover. Adoption has surged over the past two years, driven by Kubernetes multi-homing, Siri/Apple services, and Linux-based load balancers. Many modern Linux distributions enable MPTCP out of the box for both client and server roles.

This growing ubiquity transformed what could have been a niche bug into a widespread threat. Cloud providers running Linux VMs, ISPs operating MPTCP load balancers, and enterprise edge devices all face immediate exposure. Even Windows users are indirectly affected: Windows Subsystem for Linux 2 (WSL2) ships a full Linux kernel that includes MPTCP support. While MPTCP is not active by default in most WSL2 configurations, any user or tool enabling it—perhaps for development or testing—opens the door to local-to-local or network-based attacks against the host's virtual machine.

Inside CVE-2026-53183: The Window Inflation Bug

The vulnerability originates in the mptcp_rcv_space_adjust() function, which is responsible for tracking the receive window—the amount of data the system can buffer before a sender must pause. Under normal operations, the kernel limits the window to a maximum value based on available memory. However, a flaw in the feedback loop between the MPTCP layer and the underlying TCP subflows allowed an attacker to poison the sequence space and artificially inflate the computed window beyond the allocated memory bounds.

When a remote peer sends a series of specially crafted ACK packets with manipulated SACK (Selective Acknowledgment) blocks and out-of-order sequence numbers, the code miscalculates the sk->sk_rcvbuf enlargement. Instead of being clamped to the sysctl_tcp_rmem_max limit, the internal value can wrap or overflow. The result: the kernel allocates insufficient memory for incoming segments but continues to advertise an enormous receive window, leading to a classic buffer overflow when the sender floods data into the over-committed space.

The attack required no authentication and could be launched from any remote IP that could establish a TCP connection to an MPTCP-enabled service. Even services that only listen on single-path TCP can be vulnerable if kernel MPTCP support is enabled globally, as the kernel may accept MPTCP connections on those ports unless explicitly filtered. Researchers at the Zero-Day Initiative confirmed a proof-of-concept exploit that panics a target kernel in under 15 seconds with minimal bandwidth.

Impact Assessment: Who Must Patch Immediately

The CVSS 3.1 score of 7.5 (High) reflects the ease of exploitation and the severe availability impact. However, the attack does not compromise confidentiality or integrity. Systems most at risk include:

  • Publicly exposed Linux servers: Web servers, mail servers, and any TCP service that can be reached from the internet.
  • MPTCP load balancers and proxies: Devices that actively terminate MPTCP connections, such as HAProxy with MPTCP compiled in, are prime targets.
  • Containerized environments: Docker or Kubernetes nodes where the host kernel handles MPTCP for pods that don't even use it, due to MPTCP being enabled at kernel compile time.
  • WSL2 and Azure Sphere: Specialized Linux instances on Windows that inherit a kernel with MPTCP code, though exploitation may require local network access or misconfiguration.

Partial mitigation exists: disabling MPTCP at boot by setting net.mptcp.enabled=0 via sysctl eliminates the attack surface completely. However, many production systems rely on MPTCP for load balancing and cannot afford to turn it off. For those, patching is the only recourse.

The Fix and How to Apply It

Kernel maintainers backported a minimal set of patches to stable releases longterm 5.10, 5.15, 6.1, and 6.6, as well as the mainline 6.7 release. The fix introduces rigorous clamping of the receive buffer size after every window update, mirroring the logic used in regular TCP's tcp_rcv_space_adjust(). Additionally, the patch adds an explicit integer overflow check in the MPTCP path manager when accumulating subflow window sizes.

To apply the fix, system administrators should:

  1. Identify your kernel version: Run uname -r.
  2. Check for CVE-2026-53183 in your distribution's security advisory. Major distributions like Ubuntu, Red Hat, SUSE, and Amazon Linux 2 released updates within 48 hours.
  3. Update the kernel using the package manager: sudo apt update && sudo apt upgrade linux-image-generic on Debian/Ubuntu, or sudo yum update kernel on RHEL/CentOS.
  4. Reboot into the new kernel. For live-patching services like KernelCare or kpatch, check if a live patch is available; as of June 26, 2026, live patches were pending for this CVE.
  5. Verify MPTCP status: cat /proc/sys/net/mptcp/enabled should show 1 if MPTCP is needed; if not, set it to 0 for defense-in-depth.

For WSL2 users, the fix must come through Windows Update. Microsoft typically ships kernel updates for WSL2 on the second Tuesday of each month, so the July 2026 patch will include the corrected kernel. Until then, if you have enabled MPTCP for networking experiments, disable it immediately via sysctl from within the WSL2 instance.

A Deeper Dive: Why MPTCP Window Accounting Is Hard

The root cause of CVE-2026-53183 traces back to the architectural complexity of MPTCP's receive window management. Regular TCP maintains a single receive window for the entire connection. MPTCP aggregates multiple subflows, each with its own sequence space and window, into a single meta-window. The meta-window is not simply the sum of subflow windows because subflows may share the same application-layer receive buffer. The kernel must constantly recompute how much data the overall connection can accept, balancing memory consumption across subflows.

In the vulnerable code, the function failed to re-check the total allocated memory after increasing a subflow's window. An attacker could open two or more subflows to the same MPTCP connection, advertise tiny windows on all but one, then abruptly open the window on the remaining subflow wide while the others remained starved. This lopsided distribution pushed the meta-window calculation past the maximum threshold without the kernel noticing.

Security researcher János Böhm, who discovered the flaw, noted that the issue remained hidden for years because most MPTCP testing focused on throughput and failover, not adversarial window manipulation. He found it while fuzzing the MPTCP state machine with mutated ACK packets. Kernel maintainer Paolo Abeni provided the fix within a week, highlighting the project's mature security response.

Broader Implications and the Rise of MPTCP Attacks

CVE-2026-53183 is not an isolated incident. As MPTCP gains traction, attackers are increasingly targeting its complex handshake and connection management. Earlier in 2026, a related vulnerability (CVE-2026-21995) allowed information leaks through uninitialized memory in MPTCP options. The combination of high-profile deployments like Apple Private Relay and Google's QUIC-based MPTCP experiments raises the stakes.

For Windows enthusiasts, this serves as a reminder that subsystems like WSL2 blur traditional security boundaries. While the Windows NT kernel itself is immune to this specific bug, a compromised WSL2 instance could pivot to attack the host via other vectors, or simply consume host resources to trigger a blue screen through hypervisor-level resource exhaustion. Defense-in-depth practices demand treating WSL2 instances as fully separate Linux machines, applying patches immediately.

Network equipment vendors like Arista and Cisco have already incorporated the fix into their next firmware releases for MPTCP-aware switches. Cloud providers, including AWS and Google Cloud, patched their hypervisor kernels within hours, but tenant-managed VMs remain the responsibility of the customer. GCP's Mandiant threat intelligence reported no active exploitation in the wild as of June 28, but proof-of-concept code circulating on GitHub raises the threat level.

Steps to Detect and Prevent Exploitation

Organizations without an immediate patch capability can implement workarounds:

  • Disable MPTCP completely: sudo sysctl -w net.mptcp.enabled=0 and add net.mptcp.enabled=0 to /etc/sysctl.conf.
  • Use iptables/nftables to drop packets with MPTCP options: Create a rule that matches TCP option kind 30 (MP_CAPABLE) during the handshake. However, this may break legitimate MPTCP traffic if you later enable it.
  • Employ network IDS signatures: Snort and Suricata rules have been released to detect the malformed ACK pattern. The emerging threat feed ET Open Rule ID 2026745 blocks suspicious window scaling values.
  • Monitor kernel logs: The fix adds a rate-limited warning "MPTCP: rcvbuf overflow prevented" when the clamping kicks in; if you see this pre-patch, it indicates a potential attack.

Long-term, the MPTCP development community is discussing a redesign of the window accounting to use compiler-checked integer bounds and hardware memory protection features like Arm Memory Tagging Extension (MTE) to catch such overflows automatically. Until then, regular patching remains the cornerstone of defense.

Conclusion

CVE-2026-53183 exposes the delicate dance of modern networking protocols and the kernel memory management that supports them. A single logic error in receive window accounting can down a server faster than a DDoS attack. With MPTCP's rapid adoption across mobile, cloud, and edge computing, this bug serves as a wake-up call for network engineers and system administrators alike. Apply the kernel update now, and if you rely on WSL2 for cross-platform development, ensure your Windows Update includes the July kernel patch. The internet's backbone runs on Linux; a few lines of corrected code prevent a world of pain.