CVE-2025-21706 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: only set fullmesh for subflow endp

With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address.

Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before.

That's what syzbot found, triggering the following warning:

WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]
RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]
RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]
RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48 RSP: 0018:ffffc9000d307240 EFLAGS: 00010293 RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0 R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline]
__sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5fe8785d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29 RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007 RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000 ---truncated---

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability described in CVE-2025-21706 resides within the Linux kernel's Multipath TCP (MPTCP) implementation, specifically in the path manager component. This flaw allows for improper handling of the 'fullmesh' flag during subflow endpoint management, which can lead to unexpected behavior and potential system instability. The MPTCP protocol is designed to improve network performance by allowing data to be transmitted over multiple paths simultaneously. In the context of MPTCP, the 'fullmesh' flag controls how subflows are established and managed between endpoints, particularly in scenarios where multiple paths are available.

The technical issue stems from a discrepancy in the validation logic within the mptcp_pm_nl_fullmesh() function, which is responsible for managing the 'fullmesh' flag. While the intended behavior is to only permit modification of this flag on 'subflow' endpoints, the underlying set_flags() hook was overly permissive and allowed 'implicit' endpoints to also receive the flag. This inconsistency creates a condition where the system attempts to perform operations on endpoints that were not designed to handle the 'fullmesh' flag, leading to a kernel warning and potential system crash. The warning message indicates that the kernel is attempting to mark a subflow endpoint as available, but the code path has been corrupted due to the improper flag assignment.

This vulnerability has significant operational impact, particularly in environments where MPTCP is actively used for network communication. The improper flag handling could lead to denial of service conditions, system instability, or potentially more severe consequences if exploited in a controlled manner. The vulnerability was identified by syzbot, an automated fuzzer that detects kernel bugs, highlighting the importance of kernel-level testing and verification. The issue demonstrates a classic case of insufficient input validation and improper access control, which are common attack vectors in kernel security. From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and CWE-704 (Incorrect Type Conversion or Cast), as the system incorrectly handles endpoint type validation and flag assignment.

The mitigation for this vulnerability involves ensuring that the path manager correctly enforces endpoint type restrictions when setting the 'fullmesh' flag. This requires implementing stricter validation in the set_flags() hook to prevent implicit endpoints from receiving the flag, thereby maintaining the intended behavior of the MPTCP subsystem. Organizations should update their Linux kernel versions to include the patched code that resolves this inconsistency. The fix ensures that the kernel properly validates endpoint types before allowing flag modifications, preventing the unintended state that leads to the kernel warning. From an ATT&CK perspective, this vulnerability could be leveraged in a privilege escalation scenario if an attacker can manipulate MPTCP configuration, though the direct attack surface is limited to kernel-level manipulation. The vulnerability underscores the importance of maintaining strict access controls and validation mechanisms in kernel subsystems where network configuration parameters can directly affect system stability and security.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00195

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!