Overview
CVE-2025-40257 describes a race condition vulnerability found in the Multipath TCP (MPTCP) implementation within the Linux kernel. This flaw can lead to a use-after-free condition, potentially causing system crashes or other undefined behavior. The vulnerability was identified by syzbot and has been addressed in recent kernel updates. This article provides a detailed analysis of the vulnerability, its potential impact, and the recommended mitigation steps.
Technical Details
The vulnerability resides in the mptcp_pm_del_add_timer() function within the MPTCP path manager. A race condition can occur when this function attempts to stop the add_timer for a particular entry while another thread might have already freed that entry. This can happen because the timer is stopped without proper synchronization, leading to the use-after-free condition when the timer handler tries to access the freed memory.
The syzbot report highlights the following:
BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
The root cause is the lack of proper synchronization when stopping and freeing the timer entry. The patch addresses this by adding RCU (Read-Copy-Update) protection to ensure safe access to the shared data structure. Additionally, the variable name add_timer was changed to stop_timer for clarity.
CVSS Analysis
While the CVE entry currently lacks a CVSS score, a use-after-free vulnerability in the kernel generally indicates a high severity issue. A successful exploit could lead to kernel crashes, denial of service, or potentially privilege escalation, though the specific impact depends on the context and exploit details. We will update this section when a CVSS score is assigned.
Possible Impact
The impact of CVE-2025-40257 could be significant, particularly for systems relying on MPTCP. Potential consequences include:
- Kernel crashes: The use-after-free can cause the kernel to crash, leading to system downtime.
- Denial of Service (DoS): Repeated exploitation could lead to a persistent DoS condition.
- Potential Privilege Escalation: Although less likely, a carefully crafted exploit could potentially lead to privilege escalation, allowing an attacker to gain control of the system.
Mitigation or Patch Steps
The recommended mitigation is to apply the patches that address this vulnerability. These patches are available in the following kernel versions and later:
- Apply the commits found in the first upstream fix.
- Apply the commits found in the second upstream fix.
- Apply the commits found in the third upstream fix.
- Apply the commits found in the fourth upstream fix.
Distributions that include the affected kernel versions will likely release updated packages containing the fix. It is crucial to update your systems to the latest available kernel version to address this vulnerability.
