Overview
CVE-2025-40258 describes a use-after-free vulnerability found in the Multipath TCP (MPTCP) implementation within the Linux kernel. This flaw, discovered by syzbot, arises from a race condition in the mptcp_schedule_work() function. If exploited, this vulnerability can lead to system crashes, denial of service, and potentially arbitrary code execution. A patch has been released to address this issue.
Technical Details
The root cause of CVE-2025-40258 lies in the order of operations within the mptcp_schedule_work() function. The original code sequence was:
[A] if (schedule_work(...)) {
[B] sock_hold(sk);
return true;
}
The problem is that the work scheduled can execute immediately, and mptcp_worker() could complete *before* the sock_hold(sk) call at [B]. This can lead to the socket structure being freed prematurely, resulting in a use-after-free condition when sock_hold(sk) attempts to increment the reference count on the already freed memory. The syzbot report clearly indicated a reference count addition on already freed memory:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
sock_hold include/net/sock.h:816 [inline]
mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The corrected code sequence is:
sock_hold(sk);
if (schedule_work(...))
return true;
sock_put(sk);
By holding the socket reference *before* scheduling the work, and then releasing it if the work is not scheduled, the race condition is effectively eliminated.
CVSS Analysis
Currently, a CVSS score is not available (N/A). However, given that this is a use-after-free vulnerability within the kernel, a high severity score is expected once formally assessed. Exploitation could lead to privilege escalation or denial of service.
Possible Impact
The impact of exploiting CVE-2025-40258 includes:
- System Crash: The most likely outcome is a kernel panic, leading to a system crash and downtime.
- Denial of Service (DoS): Repeated exploitation could render a system unusable.
- Privilege Escalation: In some scenarios, an attacker might be able to leverage this vulnerability to gain elevated privileges.
- Arbitrary Code Execution: While less likely, it’s theoretically possible to execute arbitrary code within the kernel context, offering complete control of the system.
Mitigation and Patch Steps
The primary mitigation strategy is to apply the relevant patch to your Linux kernel. This patch has been incorporated into stable kernel releases. Ensure that your system is updated to a kernel version containing the fix.
- Check your Kernel Version: Use the
uname -rcommand to determine your current kernel version. - Apply Updates: Use your distribution’s package manager (e.g.,
aptfor Debian/Ubuntu,yumfor CentOS/RHEL,pacmanfor Arch Linux) to update your system. - Verify Patch Application: After updating, verify that the patch has been applied by checking the kernel changelog or by manually inspecting the relevant code in
net/mptcp/protocol.c. - Reboot: A reboot is often required for the new kernel to take effect.
