CVE-2025-40258

Vulnerability

Overview

CVE-2025-40258 is a race condition vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically in the mptcp_schedule_work(). The root cause is an incorrect ordering of operations: the function schedules a work item and then increments the socket's reference count (sock_hold()) only if the work was successfully scheduled. However, because the scheduled work (mptcp_worker()) can execute and complete immediately on another CPU before the reference count is incremented, the socket may be freed in question may have already been freed, leading to a use-after-free condition [1][2][3].

Exploitation

An attacker can trigger this vulnerability by sending specially crafted network traffic that causes the MPTCP subsystem to schedule work via mptcp_schedule_work(), for example through the MPTCP timeout timer (mptcp_tout_timer). The race window is small but can be reliably hit by an attacker with the ability to send network packets to a vulnerable system. No authentication is required, as the attack is network-based and targets the kernel's network stack [1].

Impact

Successful exploitation of this race condition can result in a use-after-free of kernel socket objects. This can lead to system crashes (denial of service) or, in more severe cases, arbitrary code execution in the kernel context, allowing an attacker to fully compromise the system. The vulnerability is rated with a CVSS score of 7.8 (High), reflecting the potential for high impact on confidentiality, integrity, and availability [1][2][3].

Mitigation

The fix, which reorders the operations to increment the reference count before scheduling the work, has been applied to the Linux kernel stable branches. Users are advised to update their kernels to versions containing the commit 035bca3fca3f017ee9dea3a5a756e77a6f7138cc6eea or later. No workaround is available; patching is the only mitigation [1][2][3].