{"id":"CVE-2025-23145","summary":"mptcp: fix NULL pointer in can_accept_new_subflow","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n'mptcp_can_accept_new_subflow' because subflow_req-\u003emsk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n'subflow_req-\u003emsk' ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the 'subflow_req-\u003emsk' under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to.","modified":"2026-05-18T05:59:15.277701363Z","published":"2025-05-01T12:55:34.622Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01918-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1","SUSE-SU-2025:02264-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1","SUSE-SU-2025:21085-1","SUSE-SU-2025:21086-1","SUSE-SU-2025:21087-1","SUSE-SU-2025:21088-1","SUSE-SU-2025:21089-1","SUSE-SU-2025:21092-1","SUSE-SU-2025:21093-1","SUSE-SU-2025:21094-1","SUSE-SU-2025:21095-1","SUSE-SU-2025:21107-1","SUSE-SU-2025:21108-1","SUSE-SU-2025:21109-1","SUSE-SU-2025:21116-1","SUSE-SU-2025:21117-1","SUSE-SU-2025:21118-1","SUSE-SU-2025:21119-1","SUSE-SU-2025:4160-1","SUSE-SU-2025:4161-1","SUSE-SU-2025:4167-1","SUSE-SU-2025:4199-1","SUSE-SU-2025:4200-1","SUSE-SU-2025:4215-1","SUSE-SU-2025:4227-1","SUSE-SU-2025:4230-1","SUSE-SU-2025:4239-1","SUSE-SU-2025:4243-1","SUSE-SU-2025:4255-1","SUSE-SU-2025:4261-1","SUSE-SU-2025:4262-1","SUSE-SU-2025:4265-1","SUSE-SU-2025:4283-1","SUSE-SU-2025:4302-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23145.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803"},{"type":"WEB","url":"https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23145.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23145"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9466a1ccebbe54ac57fb8a89c2b4b854826546a8"},{"fixed":"8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"},{"fixed":"b3088bd2a6790c8efff139d86d7a9d0b1305977b"},{"fixed":"855bf0aacd51fced11ea9aa0d5101ee0febaeadb"},{"fixed":"7f9ae060ed64aef8f174c5f1ea513825b1be9af1"},{"fixed":"dc81e41a307df523072186b241fa8244fecd7803"},{"fixed":"efd58a8dd9e7a709a90ee486a4247c923d27296f"},{"fixed":"4b2649b9717678aeb097893cc49f59311a1ecab0"},{"fixed":"443041deb5ef6a1289a99ed95015ec7442f141dc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23145.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.9.0"},{"fixed":"5.10.237"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.181"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.135"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.13.12"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.14.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23145.json"}}],"schema_version":"1.7.5"}