CVE-2025-21705: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.
AI Analysis
Technical Summary
CVE-2025-21705 is a vulnerability identified in the Linux kernel's implementation of the Multipath TCP (MPTCP) protocol, specifically related to the handling of socket disconnects during TCP Fast Open (TFO) connection attempts. The vulnerability arises from improper management of the disconnect() operation internally triggered by MPTCP when a connection attempt using TCP Fast Open fails. The root cause is that the socket disconnect counter is not incremented correctly in these failure scenarios, which leads to improper error signaling to other threads waiting on the same socket lock. This can result in data stream corruption, as demonstrated by Syzbot's ability to trigger a warning and kernel stack trace indicating memory corruption and unstable socket states. The problem manifests in the function __mptcp_clean_una within the MPTCP protocol code, where the cleanup of unacknowledged packets is mishandled during disconnect events caused by Fast Open errors. The vulnerability affects multiple Linux kernel versions, including release candidates and stable branches, as indicated by the affected commit hashes. The fix involves increasing the socket disconnect counter even when disconnects are generated internally due to Fast Open errors, ensuring that waiting threads receive proper error notifications and preventing data corruption or kernel instability. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and utilizing TCP Fast Open, which is increasingly adopted for performance improvements in network communications. Potential impacts include data stream corruption leading to application crashes, kernel panics, or denial of service conditions on affected hosts. This can disrupt critical services, especially in environments relying on high availability and stable network connections such as cloud infrastructure, telecommunications, financial services, and industrial control systems. Confidentiality and integrity could be indirectly affected if corrupted streams lead to unexpected behavior or system crashes that could be exploited further. The vulnerability does not appear to allow direct remote code execution or privilege escalation but can degrade system reliability and availability. Given the widespread use of Linux in servers, cloud platforms, and embedded devices across Europe, the impact could be significant if unpatched systems are exposed to network conditions triggering this flaw. However, exploitation requires triggering specific Fast Open disconnect scenarios, which may limit the ease of exploitation.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions affected by this vulnerability, especially those with MPTCP and TCP Fast Open enabled. 2) Apply the official Linux kernel patches or upgrade to a kernel version where this vulnerability is resolved as soon as they become available. 3) Temporarily disable TCP Fast Open on critical systems if patching is not immediately feasible, to prevent triggering the disconnect handling flaw. 4) Monitor kernel logs for warnings or errors related to MPTCP and TCP Fast Open disconnects that could indicate attempted exploitation or instability. 5) Conduct network traffic analysis to detect abnormal connection attempts that may exploit this vulnerability. 6) Coordinate with cloud and infrastructure providers to ensure underlying platforms are patched. 7) Implement robust incident response plans to quickly address any system crashes or service disruptions potentially linked to this vulnerability. These steps go beyond generic advice by focusing on the specific protocol features and kernel components involved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia, Ireland, Italy, Spain
CVE-2025-21705: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.
AI-Powered Analysis
Technical Analysis
CVE-2025-21705 is a vulnerability identified in the Linux kernel's implementation of the Multipath TCP (MPTCP) protocol, specifically related to the handling of socket disconnects during TCP Fast Open (TFO) connection attempts. The vulnerability arises from improper management of the disconnect() operation internally triggered by MPTCP when a connection attempt using TCP Fast Open fails. The root cause is that the socket disconnect counter is not incremented correctly in these failure scenarios, which leads to improper error signaling to other threads waiting on the same socket lock. This can result in data stream corruption, as demonstrated by Syzbot's ability to trigger a warning and kernel stack trace indicating memory corruption and unstable socket states. The problem manifests in the function __mptcp_clean_una within the MPTCP protocol code, where the cleanup of unacknowledged packets is mishandled during disconnect events caused by Fast Open errors. The vulnerability affects multiple Linux kernel versions, including release candidates and stable branches, as indicated by the affected commit hashes. The fix involves increasing the socket disconnect counter even when disconnects are generated internally due to Fast Open errors, ensuring that waiting threads receive proper error notifications and preventing data corruption or kernel instability. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and utilizing TCP Fast Open, which is increasingly adopted for performance improvements in network communications. Potential impacts include data stream corruption leading to application crashes, kernel panics, or denial of service conditions on affected hosts. This can disrupt critical services, especially in environments relying on high availability and stable network connections such as cloud infrastructure, telecommunications, financial services, and industrial control systems. Confidentiality and integrity could be indirectly affected if corrupted streams lead to unexpected behavior or system crashes that could be exploited further. The vulnerability does not appear to allow direct remote code execution or privilege escalation but can degrade system reliability and availability. Given the widespread use of Linux in servers, cloud platforms, and embedded devices across Europe, the impact could be significant if unpatched systems are exposed to network conditions triggering this flaw. However, exploitation requires triggering specific Fast Open disconnect scenarios, which may limit the ease of exploitation.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running kernel versions affected by this vulnerability, especially those with MPTCP and TCP Fast Open enabled. 2) Apply the official Linux kernel patches or upgrade to a kernel version where this vulnerability is resolved as soon as they become available. 3) Temporarily disable TCP Fast Open on critical systems if patching is not immediately feasible, to prevent triggering the disconnect handling flaw. 4) Monitor kernel logs for warnings or errors related to MPTCP and TCP Fast Open disconnects that could indicate attempted exploitation or instability. 5) Conduct network traffic analysis to detect abnormal connection attempts that may exploit this vulnerability. 6) Coordinate with cloud and infrastructure providers to ensure underlying platforms are patched. 7) Implement robust incident response plans to quickly address any system crashes or service disruptions potentially linked to this vulnerability. These steps go beyond generic advice by focusing on the specific protocol features and kernel components involved.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.751Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd2f8
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:40:27 PM
Last updated: 7/31/2025, 1:41:31 AM
Views: 11
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.