CVE-2026-43029
Published: 01 May 2026
Summary
CVE-2026-43029 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, prioritizing, and applying kernel patches that fix the infinite loop in mptcp_recvmsg() caused by MSG_PEEK | MSG_WAITALL.
Provides denial-of-service protections such as rate limiting or traffic filtering to reduce the likelihood of triggering the MPTCP soft lockup via network data reception.
Ensures resource availability by implementing CPU limits or quotas to prevent prolonged hogging from the kernel soft lockup on affected cores.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of the Linux kernel MPTCP implementation to trigger a soft lockup and CPU hogging, directly facilitating Endpoint Denial of Service via Application or System Exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix soft lockup in mptcp_recvmsg() syzbot reported a soft lockup in mptcp_recvmsg() [0]. When receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not removed from the sk_receive_queue.…
more
This causes sk_wait_data() to always find available data and never perform actual waiting, leading to a soft lockup. Fix this by adding a 'last' parameter to track the last peeked skb. This allows sk_wait_data() to make informed waiting decisions and prevent infinite loops when MSG_PEEK is used. [0]: watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963] Modules linked in: CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_wait_data+0x15/0x190 Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b RSP: 0018:ffffc90000603ca0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101 R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18 R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000 FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0 Call Trace: <TASK> mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329 inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891 sock_recvmsg+0x94/0xc0 net/socket.c:1100 __sys_recvfrom+0xb2/0x130 net/socket.c:2256 __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267 do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131 RIP: 0033:0x7f6e386a4a1d Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41 RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d RDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004 RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0 R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000 </TASK>
Deeper analysisAI
CVE-2026-43029 is a vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the mptcp_recvmsg() function. It manifests as a soft lockup triggered when receiving data using the MSG_PEEK | MSG_WAITALL flags. In this scenario, socket buffer (skb) data is not removed from the sk_receive_queue, causing sk_wait_data() to repeatedly detect available data without performing actual waiting. This results in an infinite loop and CPU soft lockup, as reported by syzbot fuzzing on kernel version 6.19.0-rc8.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending data to an MPTCP socket on a vulnerable system where an application invokes recvmsg() with MSG_PEEK | MSG_WAITALL, the attacker induces a soft lockup in the kernel, leading to high availability impact through prolonged CPU hogging on the affected core. The CVSS v3.1 base score of 7.5 reflects this denial-of-service potential (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Mitigation is provided through kernel patches in the stable repository. Relevant commits include 58b58b9ba89c43914eea90c18928e51852d10c24, 5dd8025a49c268ab6b94d978532af3ad341132a7, and de3c248d1b69eaefa2d5b3da4005936dcf590f1b, which introduce a 'last' parameter to mptcp_recvmsg() for tracking the last peeked skb. This enables sk_wait_data() to make proper waiting decisions and avoid infinite loops during peeking operations.
Details
- CWE(s)