5.5

CVE-2025-23145

EPSS 0.02%
Veröffentlicht 01.05.2025 12:55:34
Zuletzt bearbeitet 05.11.2025 18:05:35
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix NULL pointer in can_accept_new_subflow

When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.

Call trace:

  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
  ip_local_deliver (./net/ipv4/ip_input.c:254)
  ip_rcv_finish (./net/ipv4/ip_input.c:449)
  ...

According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.

Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.

This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.

Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 13

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.9 < 5.10.237

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.181

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.135

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.88

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.24

Linux ≫ Linux Kernel Version >= 6.13 < 6.13.12

Linux ≫ Linux Kernel Version >= 6.14 < 6.14.3

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.034

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb

Patch

https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1

Patch

https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803

Patch

https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f

Patch

https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0

Patch

https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc

Patch

https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d

Patch

https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b

Patch

https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-23145

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-23145

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-23145

EUVD