{"id":66896,"date":"2025-07-28T17:33:56","date_gmt":"2025-07-28T14:03:56","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-38491-linux-mptcp-atomic-fallback-vulnerability\/"},"modified":"2025-07-28T17:33:56","modified_gmt":"2025-07-28T14:03:56","slug":"cve-2025-38491-linux-mptcp-atomic-fallback-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-38491-linux-mptcp-atomic-fallback-vulnerability\/","title":{"rendered":"CVE-2025-38491 &#8211; Linux MPTCP Atomic Fallback Vulnerability"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-38491<br \/>\n<br \/>\n<strong>Published : <\/strong> July 28, 2025, 12:15 p.m. | 1\u00a0hour, 5\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>mptcp: make fallback action and fallback decision atomic<\/p>\n<p>Syzkaller reported the following splat:<\/p>\n<p>  WARNING: CPU: 1 PID: 7704 at net\/mptcp\/protocol.h:1223 __mptcp_do_fallback net\/mptcp\/protocol.h:1223 [inline]\n  WARNING: CPU: 1 PID: 7704 at net\/mptcp\/protocol.h:1223 mptcp_do_fallback net\/mptcp\/protocol.h:1244 [inline]\n  WARNING: CPU: 1 PID: 7704 at net\/mptcp\/protocol.h:1223 check_fully_established net\/mptcp\/options.c:982 [inline]\n  WARNING: CPU: 1 PID: 7704 at net\/mptcp\/protocol.h:1223 mptcp_incoming_options+0x21a8\/0x2510 net\/mptcp\/options.c:1153<br \/>\n  Modules linked in:<br \/>\n  CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)<br \/>\n  Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04\/01\/2014<br \/>\n  RIP: 0010:__mptcp_do_fallback net\/mptcp\/protocol.h:1223 [inline]\n  RIP: 0010:mptcp_do_fallback net\/mptcp\/protocol.h:1244 [inline]\n  RIP: 0010:check_fully_established net\/mptcp\/options.c:982 [inline]\n  RIP: 0010:mptcp_incoming_options+0x21a8\/0x2510 net\/mptcp\/options.c:1153<br \/>\n  Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90  0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00<br \/>\n  RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246<br \/>\n  RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45<br \/>\n  RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001<br \/>\n  RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000<br \/>\n  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br \/>\n  R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000<br \/>\n  FS:  00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000<br \/>\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br \/>\n  CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0<br \/>\n  Call Trace:<\/p>\n<p>   tcp_reset+0x26f\/0x2b0 net\/ipv4\/tcp_input.c:4432<br \/>\n   tcp_validate_incoming+0x1057\/0x1b60 net\/ipv4\/tcp_input.c:5975<br \/>\n   tcp_rcv_established+0x5b5\/0x21f0 net\/ipv4\/tcp_input.c:6166<br \/>\n   tcp_v4_do_rcv+0x5dc\/0xa70 net\/ipv4\/tcp_ipv4.c:1925<br \/>\n   tcp_v4_rcv+0x3473\/0x44a0 net\/ipv4\/tcp_ipv4.c:2363<br \/>\n   ip_protocol_deliver_rcu+0xba\/0x480 net\/ipv4\/ip_input.c:205<br \/>\n   ip_local_deliver_finish+0x2f1\/0x500 net\/ipv4\/ip_input.c:233<br \/>\n   NF_HOOK include\/linux\/netfilter.h:317 [inline]\n   NF_HOOK include\/linux\/netfilter.h:311 [inline]\n   ip_local_deliver+0x1be\/0x560 net\/ipv4\/ip_input.c:254<br \/>\n   dst_input include\/net\/dst.h:469 [inline]\n   ip_rcv_finish net\/ipv4\/ip_input.c:447 [inline]\n   NF_HOOK include\/linux\/netfilter.h:317 [inline]\n   NF_HOOK include\/linux\/netfilter.h:311 [inline]\n   ip_rcv+0x514\/0x810 net\/ipv4\/ip_input.c:567<br \/>\n   __netif_receive_skb_one_core+0x197\/0x1e0 net\/core\/dev.c:5975<br \/>\n   __netif_receive_skb+0x1f\/0x120 net\/core\/dev.c:6088<br \/>\n   process_backlog+0x301\/0x1360 net\/core\/dev.c:6440<br \/>\n   __napi_poll.constprop.0+0xba\/0x550 net\/core\/dev.c:7453<br \/>\n   napi_poll net\/core\/dev.c:7517 [inline]\n   net_rx_action+0xb44\/0x1010 net\/core\/dev.c:7644<br \/>\n   handle_softirqs+0x1d0\/0x770 kernel\/softirq.c:579<br \/>\n   do_softirq+0x3f\/0x90 kernel\/softirq.c:480<\/p>\n<p>   __local_bh_enable_ip+0xed\/0x110 kernel\/softirq.c:407<br \/>\n   local_bh_enable include\/linux\/bottom_half.h:33 [inline]\n   inet_csk_listen_stop+0x2c5\/0x1070 net\/ipv4\/inet_connection_sock.c:1524<br \/>\n   mptcp_check_listen_stop.part.0+0x1cc\/0x220 net\/mptcp\/protocol.c:2985<br \/>\n   mptcp_check_listen_stop net\/mptcp\/mib.h:118 [inline]\n   __mptcp_close+0x9b9\/0xbd0 net\/mptcp\/protocol.c:3000<br \/>\n   mptcp_close+0x2f\/0x140 net\/mptcp\/protocol.c:3066<br \/>\n   inet_release+0xed\/0x200 net\/ipv4\/af_inet.c:435<br \/>\n   inet6_release+0x4f\/0x70 net\/ipv6\/af_inet6.c:487<br \/>\n   __sock_release+0xb3\/0x270 net\/socket.c:649<br \/>\n   sock_close+0x1c\/0x30 net\/socket.c:1439<br \/>\n   __fput+0x402\/0xb70 fs\/file_table.c:465<br \/>\n   task_work_run+0x150\/0x240 kernel\/task_work.c:227<br \/>\n   resume_user_mode_work include\/linux\/resume_user_mode.h:50 [inline]\n   exit_to_user_mode_loop+0xd4<br \/>\n&#8212;truncated&#8212;<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-38491 Published : July 28, 2025, 12:15 p.m. | 1\u00a0hour, 5\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net\/mptcp\/protocol.h:1223 __mptcp_do_fallback net\/mptcp\/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-66896","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/66896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=66896"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/66896\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=66896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=66896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=66896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}