CVE-2025-23145: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
AI Analysis
Technical Summary
CVE-2025-23145 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically in the function mptcp_can_accept_new_subflow. The issue arises due to a NULL pointer dereference caused by a race condition when handling incoming SYN-ACK packets for establishing new subflows. In certain scenarios, the same subflow request (subflow_req) receives two SYN-ACK packets in rapid succession, possibly due to client retransmissions or network conditions. Because these packets can be processed concurrently on different CPUs, the ownership of the subflow_req->msk (multipath socket) can be transferred prematurely to the first subflow, leaving the second processing thread with a NULL pointer reference. This results in a kernel panic, effectively causing a denial of service (DoS) by crashing the kernel. The patch for this vulnerability involves moving the assignment of subflow_req->msk under a conditional check (own_req == true), ensuring that the pointer is only accessed when valid. Additionally, redundant NULL checks in subflow_hmac_valid() were removed to streamline the code. This vulnerability affects Linux kernel versions containing the specified commit hash 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and likely other versions with similar MPTCP implementations. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and exposed to network traffic that could trigger the race condition. The impact is a denial of service through kernel panic, which can cause system crashes and downtime. This is particularly critical for servers and network infrastructure devices that rely on MPTCP for improved network resilience and throughput, such as data centers, cloud service providers, telecom operators, and enterprises with multi-homed network configurations. The DoS could disrupt critical services, leading to operational interruptions and potential financial losses. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact is significant. Since exploitation requires sending crafted network packets to the vulnerable system, externally facing Linux servers and network appliances are at higher risk. The absence of known exploits suggests limited immediate threat, but the potential for DoS in high-availability environments remains a concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2025-23145. Specifically, kernel versions incorporating the fix that moves subflow_req->msk assignment under the own_req conditional should be deployed. For environments where immediate patching is not feasible, network-level mitigations can be applied, such as filtering or rate-limiting SYN-ACK packets that may trigger the race condition, especially from untrusted or external sources. Disabling MPTCP on systems where it is not required can also reduce the attack surface. Monitoring kernel logs for mptcp_can_accept_new_subflow related panics or crashes can help detect potential exploitation attempts. Additionally, organizations should implement robust network segmentation and intrusion detection systems to identify anomalous traffic patterns indicative of exploitation attempts. Coordination with Linux distribution vendors for timely patch releases and applying security updates promptly is essential to mitigate this vulnerability effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-23145: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
AI-Powered Analysis
Technical Analysis
CVE-2025-23145 is a vulnerability identified in the Linux kernel's implementation of Multipath TCP (MPTCP), specifically in the function mptcp_can_accept_new_subflow. The issue arises due to a NULL pointer dereference caused by a race condition when handling incoming SYN-ACK packets for establishing new subflows. In certain scenarios, the same subflow request (subflow_req) receives two SYN-ACK packets in rapid succession, possibly due to client retransmissions or network conditions. Because these packets can be processed concurrently on different CPUs, the ownership of the subflow_req->msk (multipath socket) can be transferred prematurely to the first subflow, leaving the second processing thread with a NULL pointer reference. This results in a kernel panic, effectively causing a denial of service (DoS) by crashing the kernel. The patch for this vulnerability involves moving the assignment of subflow_req->msk under a conditional check (own_req == true), ensuring that the pointer is only accessed when valid. Additionally, redundant NULL checks in subflow_hmac_valid() were removed to streamline the code. This vulnerability affects Linux kernel versions containing the specified commit hash 9466a1ccebbe54ac57fb8a89c2b4b854826546a8 and likely other versions with similar MPTCP implementations. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with MPTCP enabled and exposed to network traffic that could trigger the race condition. The impact is a denial of service through kernel panic, which can cause system crashes and downtime. This is particularly critical for servers and network infrastructure devices that rely on MPTCP for improved network resilience and throughput, such as data centers, cloud service providers, telecom operators, and enterprises with multi-homed network configurations. The DoS could disrupt critical services, leading to operational interruptions and potential financial losses. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact is significant. Since exploitation requires sending crafted network packets to the vulnerable system, externally facing Linux servers and network appliances are at higher risk. The absence of known exploits suggests limited immediate threat, but the potential for DoS in high-availability environments remains a concern.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched version that addresses CVE-2025-23145. Specifically, kernel versions incorporating the fix that moves subflow_req->msk assignment under the own_req conditional should be deployed. For environments where immediate patching is not feasible, network-level mitigations can be applied, such as filtering or rate-limiting SYN-ACK packets that may trigger the race condition, especially from untrusted or external sources. Disabling MPTCP on systems where it is not required can also reduce the attack surface. Monitoring kernel logs for mptcp_can_accept_new_subflow related panics or crashes can help detect potential exploitation attempts. Additionally, organizations should implement robust network segmentation and intrusion detection systems to identify anomalous traffic patterns indicative of exploitation attempts. Coordination with Linux distribution vendors for timely patch releases and applying security updates promptly is essential to mitigate this vulnerability effectively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.512Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8241
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:10:33 PM
Last updated: 8/18/2025, 11:32:06 PM
Views: 18
Related Threats
CVE-2025-9296: Unrestricted Upload in Emlog Pro
MediumCVE-2025-8064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aicwebtech Bible SuperSearch
MediumCVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.