CVE-2025-23145 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix NULL pointer in can_accept_new_subflow

When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.

Call trace:

mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ...

According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons.

Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here.

This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional.

Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability CVE-2025-23145 represents a critical null pointer dereference issue within the Linux kernel's Multipath TCP implementation. This flaw manifests specifically in the mptcp_can_accept_new_subflow function where a NULL pointer access occurs when processing incoming TCP connections. The vulnerability was discovered during testing with the valkey benchmark tool, indicating that it affects high-performance network workloads that utilize Multipath TCP for improved throughput and reliability. The kernel panic occurs at line 63 of net/mptcp/subflow.c with discriminator 4, demonstrating a clear pathway from network packet processing to kernel memory corruption.

The technical root cause stems from improper handling of subflow request ownership in concurrent network processing scenarios. When multiple SYN-ACK packets are received in rapid succession, potentially due to client retransmission mechanisms, the system encounters a race condition where subflow_req->msk becomes NULL after the first packet processing has already transferred ownership. The call trace reveals the execution path through tcp_check_req, tcp_v4_rcv, and various IP input processing functions, ultimately leading to the kernel panic in the MPTCP subsystem. This race condition is particularly problematic because packets can be processed concurrently across different CPU cores, amplifying the timing sensitivity of the vulnerability.

The operational impact of this vulnerability is significant for systems relying on Multipath TCP functionality, as it can lead to complete kernel panics and system crashes. This makes the vulnerability particularly dangerous in production environments where network stability is critical, potentially causing denial of service attacks that could take down entire network services. The vulnerability affects the fundamental connection establishment process in MPTCP, meaning that any application using Multipath TCP for network communication becomes susceptible to this crash condition. The issue is classified under CWE-476 as a NULL pointer dereference, which represents a classic memory safety vulnerability that can be exploited to cause system instability.

The fix implemented in this patch addresses the core issue by restructuring the conditional logic to ensure that subflow_req->msk is only accessed when the request ownership is properly established. The solution moves the subflow_req->msk access under the own_req == true conditional, preventing the null pointer dereference that occurs when the ownership has already been transferred. Additionally, the patch removes redundant null pointer checks in subflow_hmac_valid() since these validations are now properly handled within the moved code branch. This remediation aligns with ATT&CK technique T1499.001 for network denial of service and follows standard kernel security practices for race condition prevention. The fix demonstrates proper defensive programming by ensuring proper state validation before pointer dereference operations, which is essential for maintaining kernel stability in concurrent network processing environments.

Responsible

Linux

Reservation

01/11/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00176

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!