CVE-2025-38552
Description
In the Linux kernel, the following vulnerability has been resolved:
mptcp: plug races between subflow fail and subflow creation
We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger.
The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock.
The socket fallback makes such flag true, and also receiving or sending an MP_FAIL option.
The field 'allow_infinite_fallback' is now always touched under the relevant lock, we can drop the ONCE annotation on write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel MPTCP subsystem can allow additional subflows to be created after a subflow failure has been detected.
Vulnerability
Analysis
CVE-2025-38552 is a race condition in the Linux kernel’s Multipath TCP (MPTCP) implementation. The vulnerability occurs because there are races between subflow fail and subflow creation, analogous to a previously addressed race condition but more difficult to trigger. The root cause is that the socket state that should prevent any additional subflow creation after a fail is not properly protected under certain conditions.
The solution outlined in the description uses a separate flag to track the condition where the socket state should prevent additional subflow creation, with this flag protected by the fallback lock. This flag becomes true when the socket enters fallback or when an MP_FAIL option is received or sent. The field allow_infinite_fallback is now always touched under the relevant lock, and the previous ONCE annotation on write has been removed.
Impact and
Exploitation
A successful exploitation could allow an attacker to bypass the intended failover mechanism, potentially leading to denial of service (DoS) or other unspecified impacts on the stability of MPTCP connections. The vulnerability is rated High with a CVSS v3 score of 7.8, indicating a significant risk. The attack likely requires local access or the ability to inject network packets.
Mitigation and
References
The vulnerability has been patched in the Linux kernel stable tree. Users should update to a kernel version that includes the fix. The fix is identified in stable kernel commits, e.g., at references [2], [3], and [4]. The product SIMATIC CN 4100 is listed as affected by this CVE in a Siemens advisory [1]; users of that product should apply the provided remediation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/659da22dee5ff316ba63bdaeeac7b58b5442f6c2nvdPatch
- git.kernel.org/stable/c/7c96d519ee15a130842a6513530b4d20acd2bfcdnvdPatch
- git.kernel.org/stable/c/c476d627584b7589a134a8b48dd5c6639e4401c5nvdPatch
- git.kernel.org/stable/c/def5b7b2643ebba696fc60ddf675dca13f073486nvdPatch
- git.kernel.org/stable/c/f81b6fbe13c7fc413b5158cdffc6a59391a2a8dbnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories