logo_clicknbuy.png

CVE-2025-38491 – Linux MPTCP Atomic Fallback Vulnerability

The following table lists the changes that have been made to the
CVE-2025-38491 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jul. 28, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    mptcp: make fallback action and fallback decision atomic

    Syzkaller reported the following splat:

    WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
    WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
    WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]
    WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
    Modules linked in:
    CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)
    Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
    RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
    RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
    RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]
    RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
    Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00
    RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45
    RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001
    RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000
    FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0
    Call Trace:

    tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432
    tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975
    tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166
    tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925
    tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363
    ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205
    ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233
    NF_HOOK include/linux/netfilter.h:317 [inline]
    NF_HOOK include/linux/netfilter.h:311 [inline]
    ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254
    dst_input include/net/dst.h:469 [inline]
    ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
    NF_HOOK include/linux/netfilter.h:317 [inline]
    NF_HOOK include/linux/netfilter.h:311 [inline]
    ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567
    __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975
    __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088
    process_backlog+0x301/0x1360 net/core/dev.c:6440
    __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453
    napi_poll net/core/dev.c:7517 [inline]
    net_rx_action+0xb44/0x1010 net/core/dev.c:7644
    handle_softirqs+0x1d0/0x770 kernel/softirq.c:579
    do_softirq+0x3f/0x90 kernel/softirq.c:480

    __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407
    local_bh_enable include/linux/bottom_half.h:33 [inline]
    inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524
    mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985
    mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]
    __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000
    mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066
    inet_release+0xed/0x200 net/ipv4/af_inet.c:435
    inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487
    __sock_release+0xb3/0x270 net/socket.c:649
    sock_close+0x1c/0x30 net/socket.c:1439
    __fput+0x402/0xb70 fs/file_table.c:465
    task_work_run+0x150/0x240 kernel/task_work.c:227
    resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
    exit_to_user_mode_loop+0xd4
    —truncated—
    Added Reference https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5
    Added Reference https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30
    Added Reference https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894
Share the Post:

Related Posts