{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-23145","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-01-11T14:28:41.512Z","datePublished":"2025-05-01T12:55:34.622Z","dateUpdated":"2026-05-11T21:13:49.319Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:13:49.319Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n'subflow_req->msk' ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the 'subflow_req->msk' under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/subflow.c"],"versions":[{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"8cf7fef1bb2ffea7792bcbf71ca00216cecc725d","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"b3088bd2a6790c8efff139d86d7a9d0b1305977b","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"855bf0aacd51fced11ea9aa0d5101ee0febaeadb","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"7f9ae060ed64aef8f174c5f1ea513825b1be9af1","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"dc81e41a307df523072186b241fa8244fecd7803","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"efd58a8dd9e7a709a90ee486a4247c923d27296f","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"4b2649b9717678aeb097893cc49f59311a1ecab0","status":"affected","versionType":"git"},{"version":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8","lessThan":"443041deb5ef6a1289a99ed95015ec7442f141dc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mptcp/subflow.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.10.237","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.181","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.135","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.88","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.24","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.12","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.3","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.12.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.13.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.14.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"},{"url":"https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b"},{"url":"https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb"},{"url":"https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1"},{"url":"https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803"},{"url":"https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f"},{"url":"https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0"},{"url":"https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc"}],"title":"mptcp: fix NULL pointer in can_accept_new_subflow","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:42:35.316Z"}}]}}