FKIE_CVE-2025-71088

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-03-25 18:56
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.2
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A2EC30B-B7D2-46B0-91A5-0A8420BC52CE",
              "versionEndExcluding": "6.1.160",
              "versionStartIncluding": "6.1.110",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "528CCBAC-105D-4B7E-B115-EAB6707955CF",
              "versionEndExcluding": "6.6.120",
              "versionStartIncluding": "6.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "24E18C07-36AC-456E-97AF-F7C3F73E600C",
              "versionEndExcluding": "6.12.65",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B",
              "versionEndExcluding": "6.18.4",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n  WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n  Modules linked in:\n  CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n  RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n  Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u003c0f\u003e 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n  RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n  RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n  RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n  R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n  R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n  FS:  0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n  Call Trace:\n   \u003cTASK\u003e\n   tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n   tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n   tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n   tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n   ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n   ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n   NF_HOOK include/linux/netfilter.h:318 [inline]\n   NF_HOOK include/linux/netfilter.h:312 [inline]\n   ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n   dst_input include/net/dst.h:471 [inline]\n   ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n   NF_HOOK include/linux/netfilter.h:318 [inline]\n   NF_HOOK include/linux/netfilter.h:312 [inline]\n   ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n   __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n   __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n   process_backlog+0x442/0x15e0 net/core/dev.c:6444\n   __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n   napi_poll net/core/dev.c:7557 [inline]\n   net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n   handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n   run_ksoftirqd kernel/softirq.c:968 [inline]\n   run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n   smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n   kthread+0x3c2/0x780 kernel/kthread.c:463\n   ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n   \u003c/TASK\u003e\n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -\u003e FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that\u0027s not already there."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmptcp: retroceso m\u00e1s temprano en conexi\u00f3n simult\u00e1nea\n\nSyzkaller informa una condici\u00f3n de carrera de conexi\u00f3n simult\u00e1nea que lleva a un estado de retroceso inconsistente:\n\n  WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n  Modules linked in:\n  CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n  RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n  Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u0026lt;0f\u0026gt; 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n  RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n  RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n  RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n  R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n  R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n  FS:  0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n  Call Trace:\n   \n   tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n   tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n   tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n   tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n   ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n   ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n   NF_HOOK include/linux/netfilter.h:318 [inline]\n   NF_HOOK include/linux/netfilter.h:312 [inline]\n   ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n   dst_input include/net/dst.h:471 [inline]\n   ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n   NF_HOOK include/linux/netfilter.h:318 [inline]\n   NF_HOOK include/linux/netfilter.h:312 [inline]\n   ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n   __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n   __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n   process_backlog+0x442/0x15e0 net/core/dev.c:6444\n   __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n   napi_poll net/core/dev.c:7557 [inline]\n   net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n   handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n   run_ksoftirqd kernel/softirq.c:968 [inline]\n   run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n   smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n   kthread+0x3c2/0x780 kernel/kthread.c:463\n   ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n   \n\nEl subflujo TCP puede procesar el paquete syn-ack de conexi\u00f3n simult\u00e1nea despu\u00e9s de la transici\u00f3n al estado TCP_FIN1, evitando la verificaci\u00f3n de retroceso de MPTCP, ya que la devoluci\u00f3n de llamada sk_state_change() no se invoca para transiciones de * -\u0026gt; FIN_WAIT1.\n\nEso mover\u00e1 el socket msk a un estado inconsistente y los pr\u00f3ximos datos entrantes alcanzar\u00e1n el splat reportado.\n\nCerrar la condici\u00f3n de carrera moviendo la verificaci\u00f3n de retroceso simult\u00e1neo en la etapa m\u00e1s temprana posible, es decir, en el momento de la generaci\u00f3n del syn-ack.\n\nSobre las etiquetas de correcciones: [2] se supon\u00eda que tambi\u00e9n corregir\u00eda este problema introducido por [3]. [1] es requerido como dependencia: no fue marcado expl\u00edcitamente como una correcci\u00f3n, pero lo es y ya ha sido retroportado antes de [3]. En otras palabras, este commit deber\u00eda ser retroportado hasta [3], incluyendo [2] y [1] si a\u00fan no est\u00e1n all\u00ed."
    }
  ],
  "id": "CVE-2025-71088",
  "lastModified": "2026-03-25T18:56:39.973",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-13T16:16:08.460",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.