CVE-2025-21938 (GCVE-0-2025-21938)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-11 21:09
VLAI
Title
mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.
Severity
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d045b9eb95a9b611c483897a69e7285aefdc66d7 , < f1404f368c40fc6a068dad72e4ee0824ee6a78ee (git)
Affected: d045b9eb95a9b611c483897a69e7285aefdc66d7 , < f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8 (git)
Affected: d045b9eb95a9b611c483897a69e7285aefdc66d7 , < 4b228dae3d2cc6d9dce167449cd8fa9f028e9376 (git)
Affected: d045b9eb95a9b611c483897a69e7285aefdc66d7 , < 125ccafe6dd062901b5a0c31ee9038740fc8859e (git)
Affected: d045b9eb95a9b611c483897a69e7285aefdc66d7 , < 022bfe24aad8937705704ff2e414b100cf0f2e1a (git)
Create a notification for this product.
Linux Linux Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:37.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1404f368c40fc6a068dad72e4ee0824ee6a78ee",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "4b228dae3d2cc6d9dce167449cd8fa9f028e9376",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "125ccafe6dd062901b5a0c31ee9038740fc8859e",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            },
            {
              "lessThan": "022bfe24aad8937705704ff2e414b100cf0f2e1a",
              "status": "affected",
              "version": "d045b9eb95a9b611c483897a69e7285aefdc66d7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr\n\nIf multiple connection requests attempt to create an implicit mptcp\nendpoint in parallel, more than one caller may end up in\nmptcp_pm_nl_append_new_local_addr because none found the address in\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id.  In this\ncase, the concurrent new_local_addr calls may delete the address entry\ncreated by the previous caller.  These deletes use synchronize_rcu, but\nthis is not permitted in some of the contexts where this function may be\ncalled.  During packet recv, the caller may be in a rcu read critical\nsection and have preemption disabled.\n\nAn example stack:\n\n   BUG: scheduling while atomic: swapper/2/0/0x00000302\n\n   Call Trace:\n   \u003cIRQ\u003e\n   dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\n   dump_stack (lib/dump_stack.c:124)\n   __schedule_bug (kernel/sched/core.c:5943)\n   schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\n   __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\n   schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\n   schedule_timeout (kernel/time/timer.c:2160)\n   wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\n   __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\n   synchronize_rcu (kernel/rcu/tree.c:3609)\n   mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\n   mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\n   mptcp_pm_get_local_id (net/mptcp/pm.c:420)\n   subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\n   subflow_v4_route_req (net/mptcp/subflow.c:305)\n   tcp_conn_request (net/ipv4/tcp_input.c:7216)\n   subflow_v4_conn_request (net/mptcp/subflow.c:651)\n   tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\n   tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\n   tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\n   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\n   ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\n   ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\n   ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\n   ip_sublist_rcv (net/ipv4/ip_input.c:640)\n   ip_list_rcv (net/ipv4/ip_input.c:675)\n   __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\n   netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\n   napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\n   igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\n   __napi_poll (net/core/dev.c:6582)\n   net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\n   handle_softirqs (kernel/softirq.c:553)\n   __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\n   irq_exit_rcu (kernel/softirq.c:651)\n   common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\n   \u003c/IRQ\u003e\n\nThis problem seems particularly prevalent if the user advertises an\nendpoint that has a different external vs internal address.  In the case\nwhere the external address is advertised and multiple connections\nalready exist, multiple subflow SYNs arrive in parallel which tends to\ntrigger the race during creation of the first local_addr_list entries\nwhich have the internal address instead.\n\nFix by skipping the replacement of an existing implicit local address if\ncalled via mptcp_pm_nl_get_local_id."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:09:26.612Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1404f368c40fc6a068dad72e4ee0824ee6a78ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b228dae3d2cc6d9dce167449cd8fa9f028e9376"
        },
        {
          "url": "https://git.kernel.org/stable/c/125ccafe6dd062901b5a0c31ee9038740fc8859e"
        },
        {
          "url": "https://git.kernel.org/stable/c/022bfe24aad8937705704ff2e414b100cf0f2e1a"
        }
      ],
      "title": "mptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21938",
    "datePublished": "2025-04-01T15:41:04.886Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2026-05-11T21:09:26.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21938",
      "date": "2026-06-07",
      "epss": "0.00014",
      "percentile": "0.02779"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21938\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:24.667\",\"lastModified\":\"2025-11-03T20:17:30.800\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr\\n\\nIf multiple connection requests attempt to create an implicit mptcp\\nendpoint in parallel, more than one caller may end up in\\nmptcp_pm_nl_append_new_local_addr because none found the address in\\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id.  In this\\ncase, the concurrent new_local_addr calls may delete the address entry\\ncreated by the previous caller.  These deletes use synchronize_rcu, but\\nthis is not permitted in some of the contexts where this function may be\\ncalled.  During packet recv, the caller may be in a rcu read critical\\nsection and have preemption disabled.\\n\\nAn example stack:\\n\\n   BUG: scheduling while atomic: swapper/2/0/0x00000302\\n\\n   Call Trace:\\n   \u003cIRQ\u003e\\n   dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\\n   dump_stack (lib/dump_stack.c:124)\\n   __schedule_bug (kernel/sched/core.c:5943)\\n   schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\\n   __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\\n   schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\\n   schedule_timeout (kernel/time/timer.c:2160)\\n   wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\\n   __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\\n   synchronize_rcu (kernel/rcu/tree.c:3609)\\n   mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\\n   mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\\n   mptcp_pm_get_local_id (net/mptcp/pm.c:420)\\n   subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\\n   subflow_v4_route_req (net/mptcp/subflow.c:305)\\n   tcp_conn_request (net/ipv4/tcp_input.c:7216)\\n   subflow_v4_conn_request (net/mptcp/subflow.c:651)\\n   tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\\n   tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\\n   tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\\n   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\\n   ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\\n   ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\\n   ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\\n   ip_sublist_rcv (net/ipv4/ip_input.c:640)\\n   ip_list_rcv (net/ipv4/ip_input.c:675)\\n   __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\\n   netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\\n   napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\\n   igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\\n   __napi_poll (net/core/dev.c:6582)\\n   net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\\n   handle_softirqs (kernel/softirq.c:553)\\n   __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\\n   irq_exit_rcu (kernel/softirq.c:651)\\n   common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\\n   \u003c/IRQ\u003e\\n\\nThis problem seems particularly prevalent if the user advertises an\\nendpoint that has a different external vs internal address.  In the case\\nwhere the external address is advertised and multiple connections\\nalready exist, multiple subflow SYNs arrive in parallel which tends to\\ntrigger the race during creation of the first local_addr_list entries\\nwhich have the internal address instead.\\n\\nFix by skipping the replacement of an existing implicit local address if\\ncalled via mptcp_pm_nl_get_local_id.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: correcci\u00f3n de \u0027programaci\u00f3n mientras es at\u00f3mica\u0027 en mptcp_pm_nl_append_new_local_addr Si varias solicitudes de conexi\u00f3n intentan crear un endpoint mptcp impl\u00edcito en paralelo, m\u00e1s de un llamador puede terminar en mptcp_pm_nl_append_new_local_addr porque ninguno encontr\u00f3 la direcci\u00f3n en local_addr_list durante su llamada a mptcp_pm_nl_get_local_id. En este caso, las llamadas new_local_addr concurrentes pueden eliminar la entrada de direcci\u00f3n creada por el llamador anterior. Estas eliminaciones usan synchronize_rcu, pero esto no est\u00e1 permitido en algunos de los contextos donde se puede llamar a esta funci\u00f3n. Durante la recepci\u00f3n de paquetes, el llamador puede estar en una secci\u00f3n cr\u00edtica de lectura de rcu y tener la preempci\u00f3n deshabilitada. Una pila de ejemplo: ERROR: programaci\u00f3n mientras es at\u00f3mica: swapper/2/0/0x00000302 Seguimiento de llamadas:   dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))   Este problema parece ser particularmente frecuente si el usuario anuncia un endpoint que tiene una direcci\u00f3n interna y externa diferente. Si se anuncia la direcci\u00f3n externa y ya existen varias conexiones, llegan varios SYN de subflujo en paralelo, lo que suele desencadenar la ejecuci\u00f3n durante la creaci\u00f3n de las primeras entradas de local_addr_list que contienen la direcci\u00f3n interna. Se soluciona omitiendo el reemplazo de una direcci\u00f3n local impl\u00edcita existente si se llama mediante mptcp_pm_nl_get_local_id.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.18\",\"versionEndExcluding\":\"6.1.131\",\"matchCriteriaId\":\"AEDD8C7D-37B5-46B9-9940-C119E7E07D12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.83\",\"matchCriteriaId\":\"7D9F642F-6E05-4926-B0FE-62F95B7266BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.19\",\"matchCriteriaId\":\"32865E5C-8AE1-4D3D-A64D-299039694A88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.7\",\"matchCriteriaId\":\"842F5A44-3E71-4546-B4FD-43B0ACE3F32B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D6550E-6679-4560-902D-AF52DCFE905B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B90F6B-BEC7-4D4E-883A-9DBADE021750\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/022bfe24aad8937705704ff2e414b100cf0f2e1a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/125ccafe6dd062901b5a0c31ee9038740fc8859e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4b228dae3d2cc6d9dce167449cd8fa9f028e9376\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f1404f368c40fc6a068dad72e4ee0824ee6a78ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3fcdb2de9fdbed9d8c6a8eb2c5fbd7d6f54a4d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.