CVE-2025-40133

Vulnerability

Overview

In the Linux kernel, the MPTCP (Multipath TCP) implementation suffers from a use-after-free (UAF) vulnerability in the function mptcp_active_enable(). This function is called from subflow_finish_connect() via the sk_rx_dst_set() callback of the inet connection struct. The root cause is that mptcp_active_enable() uses sk_dst_get(sk)->dev to access the device associated with the socket's destination cache entry, but this operation is performed without ensuring proper RCU (Read-Copy-Update) protection. The call path is not always under an RCU read-side critical section, leading to a potential UAF when the `dev should be accessed only within an RCU section [1].

Exploitation

To exploit this, an attacker needs local access to the system and the ability to trigger MPTCP connection setup. No special privileges are required beyond the ability to initiate MPTCP subflows (e.g., via a malicious application that uses MPTCP sockets). The race condition occurs when the dst_entry is concurrently freed while being accessed, resulting in a use-after-free condition. The attacker may control the freed memory to gain code execution.

Impact

Successful exploitation could allow an unprivileged local attacker to escalate privileges to root or cause a denial of service (system crash). As kernel memory corruption is involved, the impact is severe [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commit cc976ec9e38bb79409de3261ba1dbb6868e2a53e. It replaces the unsafe access with __sk_dst_get() and dst_dev_rcu() to ensure proper RCU protection. Affected users should update to a kernel containing this commit.