What is CVE-2026-45889?

CVE-2026-45889 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.18 onward and patched in 6.18.14, 6.19.4 and 7.0. CVE-2026-45889 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45889?

CVE-2026-45889 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-45889?

Yes, CVE-2026-45889 has been patched. Fixed versions include 6.18.14, 6.19.4 and 7.0. If you are running Linux kernel 6.18 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45889 actively exploited?

CVE-2026-45889 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45889

In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 6.18 and later are affected. Fixed in 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 6.18

Fixed in

✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45889 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587
Patch
Kernel patch commit
https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79
Patch

Frequently asked questions

What is CVE-2026-45889?

CVE-2026-45889 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.18 onward and has been patched in 6.18.14, 6.19.4 and 7.0. CVE-2026-45889 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-45889?

Yes — CVE-2026-45889 has been patched. Fixed versions include 6.18.14, 6.19.4 and 7.0. If you are running Linux kernel 6.18 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45889 actively exploited?

No — CVE-2026-45889 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.