CVE-2025-21938: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.
AI Analysis
Technical Summary
CVE-2025-21938 is a concurrency vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the mptcp_pm_nl_append_new_local_addr function. The flaw arises when multiple connection requests concurrently attempt to create implicit MPTCP endpoints. During this process, more than one caller may enter mptcp_pm_nl_append_new_local_addr because none find the address in the local_addr_list during their call to mptcp_pm_nl_get_local_id. This concurrency leads to a race condition where multiple new_local_addr calls may delete address entries created by previous callers. The deletion operations use synchronize_rcu, which is not permitted in certain contexts where this function is called, such as during packet reception when the caller is in an RCU read critical section with preemption disabled. This improper use causes kernel scheduling while atomic contexts, resulting in kernel BUGs and potential system instability or crashes. The vulnerability is particularly triggered when an endpoint advertises different external and internal addresses, causing multiple subflow SYN packets to arrive in parallel and increasing the likelihood of the race condition during creation of local_addr_list entries. The root cause is the replacement of existing implicit local addresses during concurrent calls. The fix involves skipping the replacement of an existing implicit local address when called via mptcp_pm_nl_get_local_id, preventing the race and improper synchronize_rcu usage. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using MPTCP, a protocol extension that allows a single TCP connection to use multiple paths for redundancy and performance. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled or in use. The impact includes potential kernel panics or system crashes due to scheduling while atomic errors, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying on high-availability network connections or load balancing via MPTCP. Confidentiality and integrity impacts are less direct but could arise if attackers exploit the DoS to cause failovers or trigger recovery mechanisms that might be leveraged in complex attack chains. The vulnerability's concurrency nature means it could be triggered by crafted network traffic or high connection request volumes, potentially from internal or external sources. European organizations with data centers, cloud infrastructure, or telecom providers using Linux-based systems with MPTCP support are at risk of service interruptions. Given the increasing adoption of MPTCP in mobile networks and enterprise environments for improved resilience and throughput, the vulnerability could affect critical infrastructure components. The lack of known exploits reduces immediate risk, but the complexity of the bug and kernel-level impact warrant prompt attention to avoid operational disruptions.
Mitigation Recommendations
Organizations should promptly update Linux kernels to versions where this vulnerability is patched, applying vendor-supplied fixes or mainline kernel updates that include the correction to mptcp_pm_nl_append_new_local_addr. If immediate patching is not feasible, consider disabling MPTCP functionality temporarily to eliminate exposure, especially on critical servers and network devices. Network administrators should monitor kernel logs for BUG messages related to scheduling while atomic errors as indicators of attempted exploitation or triggering of the race condition. Implement rate limiting or filtering on connection requests that could trigger parallel MPTCP endpoint creation, particularly if endpoints advertise differing internal and external addresses. Conduct thorough testing of network configurations that use MPTCP to identify and mitigate conditions that may exacerbate the race. Additionally, ensure robust system monitoring and automated recovery mechanisms to minimize downtime if kernel panics occur. Collaborate with Linux distribution vendors and security teams to track patch availability and deployment status. Avoid custom kernel modifications that might interfere with the official fix or introduce regressions in MPTCP handling.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2025-21938: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.
AI-Powered Analysis
Technical Analysis
CVE-2025-21938 is a concurrency vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the mptcp_pm_nl_append_new_local_addr function. The flaw arises when multiple connection requests concurrently attempt to create implicit MPTCP endpoints. During this process, more than one caller may enter mptcp_pm_nl_append_new_local_addr because none find the address in the local_addr_list during their call to mptcp_pm_nl_get_local_id. This concurrency leads to a race condition where multiple new_local_addr calls may delete address entries created by previous callers. The deletion operations use synchronize_rcu, which is not permitted in certain contexts where this function is called, such as during packet reception when the caller is in an RCU read critical section with preemption disabled. This improper use causes kernel scheduling while atomic contexts, resulting in kernel BUGs and potential system instability or crashes. The vulnerability is particularly triggered when an endpoint advertises different external and internal addresses, causing multiple subflow SYN packets to arrive in parallel and increasing the likelihood of the race condition during creation of local_addr_list entries. The root cause is the replacement of existing implicit local addresses during concurrent calls. The fix involves skipping the replacement of an existing implicit local address when called via mptcp_pm_nl_get_local_id, preventing the race and improper synchronize_rcu usage. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using MPTCP, a protocol extension that allows a single TCP connection to use multiple paths for redundancy and performance. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux kernels with MPTCP enabled or in use. The impact includes potential kernel panics or system crashes due to scheduling while atomic errors, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying on high-availability network connections or load balancing via MPTCP. Confidentiality and integrity impacts are less direct but could arise if attackers exploit the DoS to cause failovers or trigger recovery mechanisms that might be leveraged in complex attack chains. The vulnerability's concurrency nature means it could be triggered by crafted network traffic or high connection request volumes, potentially from internal or external sources. European organizations with data centers, cloud infrastructure, or telecom providers using Linux-based systems with MPTCP support are at risk of service interruptions. Given the increasing adoption of MPTCP in mobile networks and enterprise environments for improved resilience and throughput, the vulnerability could affect critical infrastructure components. The lack of known exploits reduces immediate risk, but the complexity of the bug and kernel-level impact warrant prompt attention to avoid operational disruptions.
Mitigation Recommendations
Organizations should promptly update Linux kernels to versions where this vulnerability is patched, applying vendor-supplied fixes or mainline kernel updates that include the correction to mptcp_pm_nl_append_new_local_addr. If immediate patching is not feasible, consider disabling MPTCP functionality temporarily to eliminate exposure, especially on critical servers and network devices. Network administrators should monitor kernel logs for BUG messages related to scheduling while atomic errors as indicators of attempted exploitation or triggering of the race condition. Implement rate limiting or filtering on connection requests that could trigger parallel MPTCP endpoint creation, particularly if endpoints advertise differing internal and external addresses. Conduct thorough testing of network configurations that use MPTCP to identify and mitigate conditions that may exacerbate the race. Additionally, ensure robust system monitoring and automated recovery mechanisms to minimize downtime if kernel panics occur. Collaborate with Linux distribution vendors and security teams to track patch availability and deployment status. Avoid custom kernel modifications that might interfere with the official fix or introduce regressions in MPTCP handling.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.789Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8c65
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 10:56:25 AM
Last updated: 8/15/2025, 8:22:19 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.