CVE-2025-68221

Vulnerability

Overview

The vulnerability resides in the MPTCP path manager's address removal function, mptcp_pm_nl_rm_addr. The condition for the WARN_ON_ONCE macro is inverted [1]. As a result, the intended error detection (counter already zero) triggers the warning, but the decrement logic is executed only when the counter is already zero, which is the opposite of correct behaviour. Normal removals where the counter is greater than zero skip the decrement entirely, leaving the counter unchanged and the internal state inconsistent.

Attack

Surface

This bug is triggered during normal MPTCP address removal operations, such as when a user or system removes a local address used by an MPTCP connection via netlink commands. This requires the CAP_NET_ADMIN privilege or root access. The scenario is thus limited to users who already have administrative control over network configuration. No additional attack vectors are described.

Impact

An attacker with the required privileges can cause the MPTCP path manager to maintain an inflated counter of addresses in use. This may lead to resource leaks, inability to add new addresses, or other unexpected behaviour. The impact is primarily a denial-of-service condition or hang on MPTCP subflow operations.

Mitigation

The fix is included in the stable kernel commit referenced [1]. Users are advised to update to a kernel version containing this patch or backport the fix. No known workarounds are available.