CVE-2025-23145

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-23145
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23145.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23145
Downstream
Related
Published
2025-05-01T12:55:34.622Z
Modified
2026-03-12T02:16:19.523765Z
Summary
mptcp: fix NULL pointer in can_accept_new_subflow
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix NULL pointer in canacceptnew_subflow

When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcpcanacceptnewsubflow' because subflow_req->msk is NULL.

Call trace:

mptcpcanacceptnewsubflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflowsynrecvsock (./net/mptcp/subflow.c:854) tcpcheckreq (./net/ipv4/tcpminisocks.c:863) tcpv4rcv (./net/ipv4/tcpipv4.c:2268) ipprotocoldeliverrcu (./net/ipv4/ipinput.c:207) iplocaldeliverfinish (./net/ipv4/ipinput.c:234) iplocaldeliver (./net/ipv4/ipinput.c:254) iprcvfinish (./net/ipv4/ip_input.c:449) ...

According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons.

Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here.

This patch fixes this issue by moving the 'subflow_req->msk' under the own_req == true conditional.

Note that the !msk check in subflowhmacvalid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23145.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Fixed
8cf7fef1bb2ffea7792bcbf71ca00216cecc725d
Fixed
b3088bd2a6790c8efff139d86d7a9d0b1305977b
Fixed
855bf0aacd51fced11ea9aa0d5101ee0febaeadb
Fixed
7f9ae060ed64aef8f174c5f1ea513825b1be9af1
Fixed
dc81e41a307df523072186b241fa8244fecd7803
Fixed
efd58a8dd9e7a709a90ee486a4247c923d27296f
Fixed
4b2649b9717678aeb097893cc49f59311a1ecab0
Fixed
443041deb5ef6a1289a99ed95015ec7442f141dc

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23145.json"