{"id":"AZL-57978","summary":"CVE-2025-21707 affecting package kernel for versions less than 5.15.179.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: consolidate suboption status\n\nMPTCP maintains the received sub-options status is the bitmask carrying\nthe received suboptions and in several bitfields carrying per suboption\nadditional info.\n\nZeroing the bitmask before parsing is not enough to ensure a consistent\nstatus, and the MPTCP code has to additionally clear some bitfiled\ndepending on the actually parsed suboption.\n\nThe above schema is fragile, and syzbot managed to trigger a path where\na relevant bitfield is not cleared/initialized:\n\n  BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n  BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n  BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline]\n  BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n   __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n   mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n   ack_update_msk net/mptcp/options.c:1060 [inline]\n   mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n   tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233\n   tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264\n   tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916\n   tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351\n   ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205\n   ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233\n   NF_HOOK include/linux/netfilter.h:314 [inline]\n   ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n   dst_input include/net/dst.h:460 [inline]\n   ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447\n   NF_HOOK include/linux/netfilter.h:314 [inline]\n   ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567\n   __netif_receive_skb_one_core net/core/dev.c:5704 [inline]\n   __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817\n   process_backlog+0x4ad/0xa50 net/core/dev.c:6149\n   __napi_poll+0xe7/0x980 net/core/dev.c:6902\n   napi_poll net/core/dev.c:6971 [inline]\n   net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093\n   handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n   __do_softirq+0x14/0x1a kernel/softirq.c:595\n   do_softirq+0x9a/0x100 kernel/softirq.c:462\n   __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n   local_bh_enable include/linux/bottom_half.h:33 [inline]\n   rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n   __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493\n   dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n   neigh_hh_output include/net/neighbour.h:523 [inline]\n   neigh_output include/net/neighbour.h:537 [inline]\n   ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236\n   __ip_finish_output+0x287/0x810\n   ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324\n   NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n   ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434\n   dst_output include/net/dst.h:450 [inline]\n   ip_local_out net/ipv4/ip_output.c:130 [inline]\n   __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536\n   ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550\n   __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468\n   tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline]\n   tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829\n   __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012\n   tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618\n   __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130\n   __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496\n   mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550\n   mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889\n   mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline]\n   mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline]\n   mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline]\n   mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n \n---truncated---","modified":"2026-04-01T05:19:15.573837Z","published":"2025-02-27T02:15:14Z","upstream":["CVE-2025-21707"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21707"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.179.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-57978.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}