CVE-2025-68227
Description
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Fix proto fallback detection with BPF
The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot '''
When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() '''
Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops.
This fix uses the more generic sk_family for the comparison instead.
Additionally, this also prevents a WARNING from occurring:
result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ...
PKRU: 55555554 Call Trace:
do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d
---[ end trace 0000000000000000 ]---
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel MPTCP fallback detection with BPF sockmap incorrectly compares sk_prot, leading to socket operation errors and a kernel WARNING.
Vulnerability
Description
In the Linux kernel's MPTCP implementation, when a client sends a TCP SYN without MPTCP, the subflow performs a fallback that replaces the subflow socket's sk_prot with the native TCP protocol handler. However, if BPF sockmap is subsequently used to update the socket (e.g., via bpf_sock_map_update), sockmap replaces sk_prot again with its own custom read/write interfaces. The function mptcp_fallback_tcp_ops() then compares the current sk->sk_prot against the native TCP protocol, which fails when sockmap has altered it. This leads to an incorrect assignment of sk->sk_socket->ops, triggering a kernel WARNING as shown in the call trace [1][2][3].
Exploitation
Scenario
The attack surface requires a server with MPTCP enabled and a client sending a plain TCP SYN. After the MPTCP fallback, an attacker with BPF privileges (e.g., through bpf_sockops programs) can add the socket to a sockmap, replacing the protocol handler. The subsequent accept() system call on the MPTCP socket invokes mptcp_stream_accept(), which executes the flawed comparison and causes the WARNING. This scenario does not require authentication beyond the ability to trigger BPF sockmap operations on the same machine or via a local attack.
Impact
Successful exploitation results in a kernel WARNING (WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68) and potentially unstable behavior due to the mismatched socket operations. While the kernel continues execution, the incorrect socket operations could lead to data corruption or other undefined states.
Mitigation
The fix changes the comparison to use the more generic sk_family instead of sk_prot, avoiding the sockmap interference. Patches have been applied to the Linux kernel stable branches (see [1], [2], [3]). Users and system administrators should update to the latest kernel version containing the fix to avoid this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8nvd
- git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00nvd
- git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdbnvd
- git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4nvd
- git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81cnvd
- git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099ebnvd
- git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8fnvd
News mentions
0No linked articles in our index yet.