cbcvebase.
CVE-2025-38491
published 2025-07-28

CVE-2025-38491: In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following…

medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_establish

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
debianlinux-6.1< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
linuxlinux
linuxlinux
linuxlinux
linuxlinux>= 0530020a7c8f2204e784f0dbdc882bbd961fdbde < 5586518bec27666c747cd52aabb62d485686d0bf5586518bec27666c747cd52aabb62d485686d0bf
linuxlinux>= 0530020a7c8f2204e784f0dbdc882bbd961fdbde < 75a4c9ab8a7af0d76b31ccd1188ed178c38b35d275a4c9ab8a7af0d76b31ccd1188ed178c38b35d2
linuxlinux>= 0530020a7c8f2204e784f0dbdc882bbd961fdbde < 54999dea879fecb761225e28f274b40662918c3054999dea879fecb761225e28f274b40662918c30
linuxlinux>= 0530020a7c8f2204e784f0dbdc882bbd961fdbde < 1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc51d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5
linuxlinux>= 0530020a7c8f2204e784f0dbdc882bbd961fdbde < f8a1d9b18c5efc76784f5a326e905f641f839894f8a1d9b18c5efc76784f5a326e905f641f839894
linuxlinux>= 5.10.228 < 5.115.11
linuxlinux>= 5.15.169 < 5.165.16
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.1.153-16.1.153-1
linuxlinux_kernel>= 0 < 6.12.41-16.12.41-1
linuxlinux_kernel>= 0 < 6.16.3-16.16.3-1
linuxlinux_kernel>= 0 < 6.8.0-100.1006.8.0-100.100
linuxlinux_kernel>= 5.10.228 < 5.115.11
linuxlinux_kernel>= 5.15.169 < 5.165.16
linuxlinux_kernel>= 5.19 < 6.1.1496.1.149
linuxlinux_kernel>= 6.13 < 6.15.86.15.8
linuxlinux_kernel>= 6.2 < 6.6.1016.6.101
linuxlinux_kernel>= 6.7 < 6.12.406.12.40
msrcazl3_kernel_6.6.96.2-1_on_azure_linux_3.0

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM