CVE-2025-21875— mptcp: always handle address removal under msk socket lock
Affected Version Matrix 16
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b6c08380860b926752d57c8fa9911fa388c4b876< 494ec285535632732eaa5786297a9ae4f731b5ff | affected |
b6c08380860b926752d57c8fa9911fa388c4b876< 7cca31035c05819643ffb5d7518e9a331b3f6651 | affected | ||
b6c08380860b926752d57c8fa9911fa388c4b876< 8116fb4acd5d3f06cd37f84887dbe962b6703b1c | affected | ||
b6c08380860b926752d57c8fa9911fa388c4b876< a05da2be18aae7e82572f8d795f41bb49f5dfc7d | affected | ||
b6c08380860b926752d57c8fa9911fa388c4b876< 4124b782ec2b1e2e490cf0bbf10f53dfd3479890 | affected | ||
b6c08380860b926752d57c8fa9911fa388c4b876< 2c3de6dff4373f1036e003f49a32629359530bdb | affected | ||
b6c08380860b926752d57c8fa9911fa388c4b876< f865c24bc55158313d5779fc81116023a6940ca3 | affected | ||
5.10 | affected | ||
| … +8 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-21875
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mptcp: always handle address removal under msk socket lock
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于mptcp未在锁保护下处理地址移除操作,可能导致竞争条件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-21875
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-21875
请登录查看更多情报信息。
Patches & Fixes for CVE-2025-21875 (7)
Same Patch Batch · Linux · 2025-03-27 · 124 CVEs total
| CVE-2023-52982 | fscache: Use wait_on_bit() to wait for the freeing of relinquished volume | |
| CVE-2023-52998 | net: fec: Use page_pool_put_full_page when freeing rx buffers | |
| CVE-2023-52999 | net: fix UaF in netns ops registration error path | |
| CVE-2023-52997 | ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() | |
| CVE-2023-52996 | ipv4: prevent potential spectre v1 gadget in fib_metrics_match() | |
| CVE-2023-52995 | riscv/kprobe: Fix instruction simulation of JALR | |
| CVE-2023-52994 | acpi: Fix suspend with Xen PV | |
| CVE-2023-52993 | x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL | |
| CVE-2023-52992 | bpf: Skip task with pid=1 in send_signal_common() | |
| CVE-2023-52991 | net: fix NULL pointer in skb_segment_list | |
| CVE-2023-52989 | firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region | |
| CVE-2023-52988 | ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() | |
| CVE-2023-52987 | ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write() | |
| CVE-2023-52986 | bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener | |
| CVE-2023-52985 | arm64: dts: imx8mm-verdin: Do not power down eth-phy | |
| CVE-2023-52984 | net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices | |
| CVE-2023-52973 | vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF | |
| CVE-2022-49761 | btrfs: always report error in run_one_delayed_ref() | |
| CVE-2022-49760 | mm/hugetlb: fix PTE marker handling in hugetlb_change_protection() | |
| CVE-2023-52974 | scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress |
Showing top 20 of 124 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46243
smb: client: reject userspace cifs.spnego descriptions - CVE-2026-46242
eventpoll: fix ep_remove struct eventpoll / struct file UAF - CVE-2026-46241
spi: mpc52xx: fix use-after-free on registration failure - CVE-2026-46239
media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl - CVE-2026-46240
media: iris: Fix use-after-free in iris_release_internal_buf
Same vendor: Linux
- CVE-2026-46243
smb: client: reject userspace cifs.spnego descriptions - CVE-2026-46242
eventpoll: fix ep_remove struct eventpoll / struct file UAF - CVE-2026-46241
spi: mpc52xx: fix use-after-free on registration failure - CVE-2026-46239
media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl - CVE-2026-46240
media: iris: Fix use-after-free in iris_release_internal_buf
V. Comments for CVE-2025-21875
No comments yet