CVE-2025-68291Missing Initialization of Resource in Linux

CWE-909Missing Initialization of Resource12 documents8 sources
Severity
5.5MEDIUM
No vector
EPSS
0.1%
top 84.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
LinuxLinux KernelDebian Linux+10 more
Timeline
PublishedDec 16
Latest updateApr 17

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: s

Affected Packages14 packages

Linuxlinux/linux_kernel6.1.1596.1.160+3
Debianlinux/linux_kernel< 6.1.162-1+1
CVEListV5linux/linux9ea05fabce31ff93a0adae8221c58bc6d7b832f346b8b58f93f1b383c3840fc6e8fab6c3bce9295f+8

🔴Vulnerability Details

3
OSV
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().2025-12-16
OSV
CVE-2025-68291: In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastc2025-12-16
GHSA
GHSA-92x9-c26m-74g2: In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fast2025-12-16

📋Vendor Advisories

7
Ubuntu
Linux kernel (FIPS) vulnerabilities2026-04-17
Ubuntu
Linux kernel (Real-time) vulnerabilities2026-04-17
Ubuntu
Linux kernel (NVIDIA) vulnerabilities2026-04-17
Ubuntu
Linux kernel vulnerabilities2026-04-16
Red Hat
kernel: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose()2025-12-16

🕵️Threat Intelligence

1
Wiz
CVE-2025-68291 Impact, Exploitability, and Mitigation Steps | Wiz