CVE-2025-23145: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
AI Analysis
Technical Summary
CVE-2025-23145 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically in the function mptcp_can_accept_new_subflow. The issue arises due to a NULL pointer dereference caused by a race condition when handling incoming SYN-ACK packets for establishing new subflows. In certain scenarios, the same subflow request (subflow_req) receives two SYN-ACK packets in rapid succession, possibly due to client retransmissions or network conditions. Because these packets can be processed concurrently on different CPUs, the ownership of the subflow_req->msk (multipath socket) can be transferred prematurely to the first subflow, leaving the second processing thread with a NULL pointer reference. This results in a kernel panic, effectively causing a denial of service (DoS) by crashing the kernel. The patch for this vulnerability involves moving the assignment of subflow_req->msk under a conditional check (own_req == true), ensuring that the pointer is only accessed when valid. Additionally, redundant NULL checks in subflow_hmac_valid() were removed to streamline the code. This vulnerability affects Linux kernel versions containing the specified commit hash 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and likely other versions with similar MPTCP implementations. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and exposed to network traffic that could trigger the race condition. The impact is a denial of service through kernel panic, which can cause system crashes and downtime. This is particularly critical for servers and network infrastructure devices that rely on MPTCP for improved network resilience and throughput, such as data centers, cloud service providers, telecom operators, and enterprises with multi-homed network configurations. The DoS could disrupt critical services, leading to operational interruptions and potential financial losses. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact is significant. Since exploitation requires sending crafted network packets to the vulnerable system, externally facing Linux servers and network appliances are at higher risk. The absence of known exploits suggests limited immediate threat, but the potential for DoS in high-availability environments remains a concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2025-23145. Specifically, kernel versions incorporating the fix that moves subflow_req->msk assignment under the own_req conditional should be deployed. For environments where immediate patching is not feasible, network-level mitigations can be applied, such as filtering or rate-limiting SYN-ACK packets that may trigger the race condition, especially from untrusted or external sources. Disabling MPTCP on systems where it is not required can also reduce the attack surface. Monitoring kernel logs for mptcp_can_accept_new_subflow related panics or crashes can help detect potential exploitation attempts. Additionally, organizations should implement robust network segmentation and intrusion detection systems to identify anomalous traffic patterns indicative of exploitation attempts. Coordination with Linux distribution vendors for timely patch releases and applying security updates promptly is essential to mitigate this vulnerability effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-23145: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
AI-Powered Analysis
Technical Analysis
CVE-2025-23145 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically in the function mptcp_can_accept_new_subflow. The issue arises due to a NULL pointer dereference caused by a race condition when handling incoming SYN-ACK packets for establishing new subflows. In certain scenarios, the same subflow request (subflow_req) receives two SYN-ACK packets in rapid succession, possibly due to client retransmissions or network conditions. Because these packets can be processed concurrently on different CPUs, the ownership of the subflow_req->msk (multipath socket) can be transferred prematurely to the first subflow, leaving the second processing thread with a NULL pointer reference. This results in a kernel panic, effectively causing a denial of service (DoS) by crashing the kernel. The patch for this vulnerability involves moving the assignment of subflow_req->msk under a conditional check (own_req == true), ensuring that the pointer is only accessed when valid. Additionally, redundant NULL checks in subflow_hmac_valid() were removed to streamline the code. This vulnerability affects Linux kernel versions containing the specified commit hash 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and likely other versions with similar MPTCP implementations. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and exposed to network traffic that could trigger the race condition. The impact is a denial of service through kernel panic, which can cause system crashes and downtime. This is particularly critical for servers and network infrastructure devices that rely on MPTCP for improved network resilience and throughput, such as data centers, cloud service providers, telecom operators, and enterprises with multi-homed network configurations. The DoS could disrupt critical services, leading to operational interruptions and potential financial losses. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact is significant. Since exploitation requires sending crafted network packets to the vulnerable system, externally facing Linux servers and network appliances are at higher risk. The absence of known exploits suggests limited immediate threat, but the potential for DoS in high-availability environments remains a concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2025-23145. Specifically, kernel versions incorporating the fix that moves subflow_req->msk assignment under the own_req conditional should be deployed. For environments where immediate patching is not feasible, network-level mitigations can be applied, such as filtering or rate-limiting SYN-ACK packets that may trigger the race condition, especially from untrusted or external sources. Disabling MPTCP on systems where it is not required can also reduce the attack surface. Monitoring kernel logs for mptcp_can_accept_new_subflow related panics or crashes can help detect potential exploitation attempts. Additionally, organizations should implement robust network segmentation and intrusion detection systems to identify anomalous traffic patterns indicative of exploitation attempts. Coordination with Linux distribution vendors for timely patch releases and applying security updates promptly is essential to mitigate this vulnerability effectively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.512Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8241
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:10:33 PM
Last updated: 10/16/2025, 3:16:17 PM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-61543: n/a
HighCVE-2025-61541: n/a
HighCVE-2025-61536: n/a
HighCVE-2025-41254: CWE-352: Cross-Site Request Forgery (CSRF) in VMware Spring Framework
MediumCVE-2025-36002: Password in Configuration File in IBM Sterling B2B Integrator
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.