CVE-2025-68227 (GCVE-0-2025-68227)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based
on bpf sockops, replacing the sk_prot of sockets during protocol stack
processing with sockmap's custom read/write interfaces.
'''
tcp_rcv_state_process()
syn_recv_sock()/subflow_syn_recv_sock()
tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
bpf_skops_established <== sockops
bpf_sock_map_update(sk) <== call bpf helper
tcp_bpf_update_proto() <== update sk_prot
'''
When the server has MPTCP enabled but the client sends a TCP SYN
without MPTCP, subflow_syn_recv_sock() performs a fallback on the
subflow, replacing the subflow sk's sk_prot with the native sk_prot.
'''
subflow_syn_recv_sock()
subflow_ulp_fallback()
subflow_drop_ctx()
mptcp_subflow_ops_undo_override()
'''
Then, this subflow can be normally used by sockmap, which replaces the
native sk_prot with sockmap's custom sk_prot. The issue occurs when the
user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
Here, it uses sk->sk_prot to compare with the native sk_prot, but this
is incorrect when sockmap is used, as we may incorrectly set
sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stacktrace.sh:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
(net/mptcp/protocol.c:4005)
Modules linked in:
...
PKRU: 55555554
Call Trace:
<TASK>
do_accept (net/socket.c:1989)
__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
__x64_sys_accept (net/socket.c:2067)
x64_sys_call (arch/x86/entry/syscall_64.c:41)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f87ac92b83d
---[ end trace 0000000000000000 ]---
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 Version: 0b4f33def7bbde1ce2fea05f116639270e7acdc7 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "7ee8f015eb47907745e2070184a8ab1e442ac3c4",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "344974ea1a3ca30e4920687b0091bda4438cebdb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "037cc50589643342d69185b663ecf9d26cce91e8",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "9b1980b6f23fa30bf12add19f37c7458625099eb",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
},
{
"lessThan": "c77b3b79a92e3345aa1ee296180d1af4e7031f8f",
"status": "affected",
"version": "0b4f33def7bbde1ce2fea05f116639270e7acdc7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix proto fallback detection with BPF\n\nThe sockmap feature allows bpf syscall from userspace, or based\non bpf sockops, replacing the sk_prot of sockets during protocol stack\nprocessing with sockmap\u0027s custom read/write interfaces.\n\u0027\u0027\u0027\ntcp_rcv_state_process()\n syn_recv_sock()/subflow_syn_recv_sock()\n tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)\n bpf_skops_established \u003c== sockops\n bpf_sock_map_update(sk) \u003c== call bpf helper\n tcp_bpf_update_proto() \u003c== update sk_prot\n\u0027\u0027\u0027\n\nWhen the server has MPTCP enabled but the client sends a TCP SYN\nwithout MPTCP, subflow_syn_recv_sock() performs a fallback on the\nsubflow, replacing the subflow sk\u0027s sk_prot with the native sk_prot.\n\u0027\u0027\u0027\nsubflow_syn_recv_sock()\n subflow_ulp_fallback()\n subflow_drop_ctx()\n mptcp_subflow_ops_undo_override()\n\u0027\u0027\u0027\n\nThen, this subflow can be normally used by sockmap, which replaces the\nnative sk_prot with sockmap\u0027s custom sk_prot. The issue occurs when the\nuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().\nHere, it uses sk-\u003esk_prot to compare with the native sk_prot, but this\nis incorrect when sockmap is used, as we may incorrectly set\nsk-\u003esk_socket-\u003eops.\n\nThis fix uses the more generic sk_family for the comparison instead.\n\nAdditionally, this also prevents a WARNING from occurring:\n\nresult from ./scripts/decode_stacktrace.sh:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \\\n(net/mptcp/protocol.c:4005)\nModules linked in:\n...\n\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\ndo_accept (net/socket.c:1989)\n__sys_accept4 (net/socket.c:2028 net/socket.c:2057)\n__x64_sys_accept (net/socket.c:2067)\nx64_sys_call (arch/x86/entry/syscall_64.c:41)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f87ac92b83d\n\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:20.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c"
},
{
"url": "https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4"
},
{
"url": "https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb"
},
{
"url": "https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8"
},
{
"url": "https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb"
},
{
"url": "https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00"
},
{
"url": "https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f"
}
],
"title": "mptcp: Fix proto fallback detection with BPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68227",
"datePublished": "2025-12-16T13:57:20.027Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:20.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-68227\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-16T14:15:56.307\",\"lastModified\":\"2025-12-18T15:08:06.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: Fix proto fallback detection with BPF\\n\\nThe sockmap feature allows bpf syscall from userspace, or based\\non bpf sockops, replacing the sk_prot of sockets during protocol stack\\nprocessing with sockmap\u0027s custom read/write interfaces.\\n\u0027\u0027\u0027\\ntcp_rcv_state_process()\\n syn_recv_sock()/subflow_syn_recv_sock()\\n tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)\\n bpf_skops_established \u003c== sockops\\n bpf_sock_map_update(sk) \u003c== call bpf helper\\n tcp_bpf_update_proto() \u003c== update sk_prot\\n\u0027\u0027\u0027\\n\\nWhen the server has MPTCP enabled but the client sends a TCP SYN\\nwithout MPTCP, subflow_syn_recv_sock() performs a fallback on the\\nsubflow, replacing the subflow sk\u0027s sk_prot with the native sk_prot.\\n\u0027\u0027\u0027\\nsubflow_syn_recv_sock()\\n subflow_ulp_fallback()\\n subflow_drop_ctx()\\n mptcp_subflow_ops_undo_override()\\n\u0027\u0027\u0027\\n\\nThen, this subflow can be normally used by sockmap, which replaces the\\nnative sk_prot with sockmap\u0027s custom sk_prot. The issue occurs when the\\nuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().\\nHere, it uses sk-\u003esk_prot to compare with the native sk_prot, but this\\nis incorrect when sockmap is used, as we may incorrectly set\\nsk-\u003esk_socket-\u003eops.\\n\\nThis fix uses the more generic sk_family for the comparison instead.\\n\\nAdditionally, this also prevents a WARNING from occurring:\\n\\nresult from ./scripts/decode_stacktrace.sh:\\n------------[ cut here ]------------\\nWARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \\\\\\n(net/mptcp/protocol.c:4005)\\nModules linked in:\\n...\\n\\nPKRU: 55555554\\nCall Trace:\\n\u003cTASK\u003e\\ndo_accept (net/socket.c:1989)\\n__sys_accept4 (net/socket.c:2028 net/socket.c:2057)\\n__x64_sys_accept (net/socket.c:2067)\\nx64_sys_call (arch/x86/entry/syscall_64.c:41)\\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\nRIP: 0033:0x7f87ac92b83d\\n\\n---[ end trace 0000000000000000 ]---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…