CVE-2025-21641 is a vulnerability identified in the Linux kernel's Multipath TCP (mptcp) subsystem related to improper handling of the 'current->nsproxy' pointer within sysctl blackhole timeout operations. The vulnerability arises because the kernel code uses the 'current' task's network namespace proxy (nsproxy) pointer to access network namespace information. However, this approach is flawed for two main reasons: first, it can lead to inconsistencies by mixing network namespace contexts between the reader/writer and the opener of the resource; second, the 'current->nsproxy' pointer can be NULL in certain scenarios, such as when the current task is exiting. This NULL pointer dereference can cause a kernel 'Oops' (crash), leading to denial of service. The issue was detected by syzbot, an automated kernel fuzzer, during the invocation of the acct(2) system call. The recommended fix involves avoiding the use of 'current->nsproxy' and instead obtaining the per-network namespace structure ('pernet') safely from the table's data using the container_of() macro. This change ensures consistent and safe access to network namespace data without risking NULL pointer dereferences or namespace inconsistencies. The vulnerability affects specific Linux kernel versions identified by commit hashes (27069e7cb3d1cea9377069266acf19b9cc5ad0ae). There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability primarily impacts kernel stability and availability rather than confidentiality or integrity, as it can cause kernel crashes due to null pointer dereferences.

For European organizations, this vulnerability poses a risk primarily to the availability and stability of Linux-based systems running affected kernel versions with Multipath TCP enabled. Linux is widely used across European enterprises, government agencies, and critical infrastructure, especially in servers, cloud environments, and networking equipment. A successful exploitation leading to a kernel crash could cause denial of service conditions, disrupting business operations, network services, and potentially impacting critical systems. Although no known exploits exist currently, the vulnerability could be triggered by local users or processes invoking sysctl operations or specific system calls like acct(2), possibly leading to system instability or crashes. This could be particularly impactful in environments relying on high availability, such as telecommunications, financial services, and public sector IT infrastructure. Since the vulnerability does not appear to allow privilege escalation or remote code execution, the confidentiality and integrity of data are less likely to be directly affected. However, repeated crashes or denial of service could indirectly affect data availability and operational continuity.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability has been patched, ensuring the fix that avoids using 'current->nsproxy' is applied. Specifically, kernel maintainers and system administrators should track the relevant commit (identified by the provided commit hash) and apply the update promptly. For environments where immediate patching is not feasible, organizations should audit and restrict access to sysctl interfaces and related system calls such as acct(2) to trusted users and processes only, minimizing the risk of triggering the vulnerability. Additionally, monitoring kernel logs for Oops or null pointer dereference messages can help detect attempts to exploit or accidental triggering of this issue. Organizations running Multipath TCP should review their configurations and consider disabling or limiting its use if it is not essential, as this reduces the attack surface. Finally, maintaining robust backup and recovery procedures will help mitigate the impact of any denial of service caused by kernel crashes.