CVE-2025-38491
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/07/2025
Last modified:
07/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mptcp: make fallback action and fallback decision atomic<br />
<br />
Syzkaller reported the following splat:<br />
<br />
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]<br />
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]<br />
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]<br />
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153<br />
Modules linked in:<br />
CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)<br />
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br />
RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]<br />
RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]<br />
RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]<br />
RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153<br />
Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00<br />
RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45<br />
RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001<br />
RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br />
R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000<br />
FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0<br />
Call Trace:<br />
<br />
tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432<br />
tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975<br />
tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166<br />
tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925<br />
tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363<br />
ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205<br />
ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233<br />
NF_HOOK include/linux/netfilter.h:317 [inline]<br />
NF_HOOK include/linux/netfilter.h:311 [inline]<br />
ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254<br />
dst_input include/net/dst.h:469 [inline]<br />
ip_rcv_finish net/ipv4/ip_input.c:447 [inline]<br />
NF_HOOK include/linux/netfilter.h:317 [inline]<br />
NF_HOOK include/linux/netfilter.h:311 [inline]<br />
ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567<br />
__netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975<br />
__netif_receive_skb+0x1f/0x120 net/core/dev.c:6088<br />
process_backlog+0x301/0x1360 net/core/dev.c:6440<br />
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453<br />
napi_poll net/core/dev.c:7517 [inline]<br />
net_rx_action+0xb44/0x1010 net/core/dev.c:7644<br />
handle_softirqs+0x1d0/0x770 kernel/softirq.c:579<br />
do_softirq+0x3f/0x90 kernel/softirq.c:480<br />
<br />
<br />
__local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407<br />
local_bh_enable include/linux/bottom_half.h:33 [inline]<br />
inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524<br />
mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985<br />
mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]<br />
__mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000<br />
mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066<br />
inet_release+0xed/0x200 net/ipv4/af_inet.c:435<br />
inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487<br />
__sock_release+0xb3/0x270 net/socket.c:649<br />
sock_close+0x1c/0x30 net/socket.c:1439<br />
__fput+0x402/0xb70 fs/file_table.c:465<br />
task_work_run+0x150/0x240 kernel/task_work.c:227<br />
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br />
exit_to_user_mode_loop+0xd4<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.228 (including) | 5.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.169 (including) | 5.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19 (including) | 6.1.149 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.101 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.40 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5
- https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30
- https://git.kernel.org/stable/c/5586518bec27666c747cd52aabb62d485686d0bf
- https://git.kernel.org/stable/c/75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2
- https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html