CVE-2025-21707: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated---
AI Analysis
Technical Summary
CVE-2025-21707 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), a protocol extension that allows a single TCP connection to use multiple paths to maximize resource usage and increase redundancy. The vulnerability arises from improper initialization and clearing of bitfields that track the status of received MPTCP suboptions during packet parsing. Specifically, while the bitmask representing received suboptions is zeroed before parsing, certain additional bitfields that carry per-suboption information are not consistently cleared depending on the suboption parsed. This fragile state management leads to uninitialized memory usage, as detected by the Kernel Memory Sanitizer (KMSAN), which reports uninitialized value usage in functions such as __mptcp_expand_seq, mptcp_expand_seq, and ack_update_msk within the MPTCP options processing code. The uninitialized values can propagate through the TCP input processing stack, potentially causing undefined behavior, kernel crashes, or memory corruption. Although the detailed exploitability is not explicitly stated and no known exploits are reported in the wild, the vulnerability could be triggered by crafted network packets that exploit the inconsistent bitfield clearing during MPTCP option parsing. This flaw is rooted in the complex handling of MPTCP suboptions and the fragile state management of their status bits, which could be leveraged to destabilize the kernel networking stack or cause denial of service. The affected versions correspond to specific Linux kernel commits prior to the fix, and the issue was publicly disclosed on February 27, 2025. No CVSS score has been assigned yet, and no patches or exploits are currently linked.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with MPTCP enabled or in use. MPTCP is increasingly used in environments requiring high availability and bandwidth aggregation, such as data centers, cloud infrastructure, telecom networks, and enterprise servers. Exploitation could lead to kernel crashes or denial of service, impacting the availability of critical services. In worst cases, memory corruption might be leveraged for privilege escalation or arbitrary code execution, though such exploitation would require further research. Given the widespread use of Linux in European government, financial, industrial, and telecommunications sectors, the vulnerability could disrupt essential services or infrastructure if exploited. Additionally, organizations relying on multi-path networking for redundancy or performance might face increased risk. The lack of known exploits reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once patches are available. The vulnerability's impact on confidentiality and integrity is less direct but cannot be ruled out if memory corruption leads to information disclosure or kernel compromise.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since no patch links are provided, monitoring official Linux kernel repositories and security advisories for updates addressing CVE-2025-21707 is critical. In the interim, organizations can mitigate risk by disabling MPTCP if it is not required, thereby eliminating the attack surface related to this vulnerability. Network-level mitigations include filtering or monitoring suspicious TCP options that could carry malformed MPTCP suboptions, using intrusion detection systems tuned to detect anomalous MPTCP traffic patterns. For environments where MPTCP is essential, applying kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) or Kernel Memory Sanitizer (KMSAN) during testing can help detect similar issues proactively. Additionally, rigorous network segmentation and limiting exposure of vulnerable systems to untrusted networks reduce exploitation likelihood. Organizations should also prepare incident response plans to handle potential denial of service or kernel compromise scenarios stemming from this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21707: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21707 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), a protocol extension that allows a single TCP connection to use multiple paths to maximize resource usage and increase redundancy. The vulnerability arises from improper initialization and clearing of bitfields that track the status of received MPTCP suboptions during packet parsing. Specifically, while the bitmask representing received suboptions is zeroed before parsing, certain additional bitfields that carry per-suboption information are not consistently cleared depending on the suboption parsed. This fragile state management leads to uninitialized memory usage, as detected by the Kernel Memory Sanitizer (KMSAN), which reports uninitialized value usage in functions such as __mptcp_expand_seq, mptcp_expand_seq, and ack_update_msk within the MPTCP options processing code. The uninitialized values can propagate through the TCP input processing stack, potentially causing undefined behavior, kernel crashes, or memory corruption. Although the detailed exploitability is not explicitly stated and no known exploits are reported in the wild, the vulnerability could be triggered by crafted network packets that exploit the inconsistent bitfield clearing during MPTCP option parsing. This flaw is rooted in the complex handling of MPTCP suboptions and the fragile state management of their status bits, which could be leveraged to destabilize the kernel networking stack or cause denial of service. The affected versions correspond to specific Linux kernel commits prior to the fix, and the issue was publicly disclosed on February 27, 2025. No CVSS score has been assigned yet, and no patches or exploits are currently linked.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with MPTCP enabled or in use. MPTCP is increasingly used in environments requiring high availability and bandwidth aggregation, such as data centers, cloud infrastructure, telecom networks, and enterprise servers. Exploitation could lead to kernel crashes or denial of service, impacting the availability of critical services. In worst cases, memory corruption might be leveraged for privilege escalation or arbitrary code execution, though such exploitation would require further research. Given the widespread use of Linux in European government, financial, industrial, and telecommunications sectors, the vulnerability could disrupt essential services or infrastructure if exploited. Additionally, organizations relying on multi-path networking for redundancy or performance might face increased risk. The lack of known exploits reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once patches are available. The vulnerability's impact on confidentiality and integrity is less direct but cannot be ruled out if memory corruption leads to information disclosure or kernel compromise.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since no patch links are provided, monitoring official Linux kernel repositories and security advisories for updates addressing CVE-2025-21707 is critical. In the interim, organizations can mitigate risk by disabling MPTCP if it is not required, thereby eliminating the attack surface related to this vulnerability. Network-level mitigations include filtering or monitoring suspicious TCP options that could carry malformed MPTCP suboptions, using intrusion detection systems tuned to detect anomalous MPTCP traffic patterns. For environments where MPTCP is essential, applying kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) or Kernel Memory Sanitizer (KMSAN) during testing can help detect similar issues proactively. Additionally, rigorous network segmentation and limiting exposure of vulnerable systems to untrusted networks reduce exploitation likelihood. Organizations should also prepare incident response plans to handle potential denial of service or kernel compromise scenarios stemming from this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.751Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe988b
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 5:56:23 PM
Last updated: 8/15/2025, 7:55:30 AM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.