{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21875","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.781Z","datePublished":"2025-03-27T14:57:06.154Z","dateUpdated":"2026-05-11T21:08:12.769Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:08:12.769Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n  RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n  RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n  RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n  RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n  RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n  RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n  R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n  R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n  FS:  00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n   mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n   mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n   mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n   netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n   sock_sendmsg_nosec net/socket.c:718 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:733\n   ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n   ___sys_sendmsg net/socket.c:2627 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2659\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f7e9998cde9\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n  RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n  RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/pm_netlink.c"],"versions":[{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"494ec285535632732eaa5786297a9ae4f731b5ff","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"7cca31035c05819643ffb5d7518e9a331b3f6651","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"8116fb4acd5d3f06cd37f84887dbe962b6703b1c","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"a05da2be18aae7e82572f8d795f41bb49f5dfc7d","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"4124b782ec2b1e2e490cf0bbf10f53dfd3479890","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"2c3de6dff4373f1036e003f49a32629359530bdb","status":"affected","versionType":"git"},{"version":"b6c08380860b926752d57c8fa9911fa388c4b876","lessThan":"f865c24bc55158313d5779fc81116023a6940ca3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/pm_netlink.c"],"versions":[{"version":"5.10","status":"affected"},{"version":"0","lessThan":"5.10","status":"unaffected","versionType":"semver"},{"version":"5.10.235","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.179","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.130","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.81","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.18","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.6","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.10.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.15.179"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.1.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.6.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.12.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.13.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/494ec285535632732eaa5786297a9ae4f731b5ff"},{"url":"https://git.kernel.org/stable/c/7cca31035c05819643ffb5d7518e9a331b3f6651"},{"url":"https://git.kernel.org/stable/c/8116fb4acd5d3f06cd37f84887dbe962b6703b1c"},{"url":"https://git.kernel.org/stable/c/a05da2be18aae7e82572f8d795f41bb49f5dfc7d"},{"url":"https://git.kernel.org/stable/c/4124b782ec2b1e2e490cf0bbf10f53dfd3479890"},{"url":"https://git.kernel.org/stable/c/2c3de6dff4373f1036e003f49a32629359530bdb"},{"url":"https://git.kernel.org/stable/c/f865c24bc55158313d5779fc81116023a6940ca3"}],"title":"mptcp: always handle address removal under msk socket lock","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:38:31.794Z"}}]}}