{"api_version":"1","generated_at":"2026-07-18T15:01:54+00:00","cve":"CVE-2025-21705","urls":{"html":"https://cve.report/CVE-2025-21705","api":"https://cve.report/api/cve/CVE-2025-21705.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-21705","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-21705"},"summary":{"title":"mptcp: handle fastopen disconnect correctly","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n  WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n  RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n  RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n  RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n  R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n  R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n  FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n   mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n   release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n   inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n   __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n   mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n   mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f6e86ebfe69\n  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n  RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n  RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n  R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n   </TASK>\n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out.","state":"PUBLISHED","assigner":"Linux","published_at":"2025-02-27 02:15:14","updated_at":"2026-07-14 13:17:21"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d","name":"https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884","name":"https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71","name":"https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079","name":"https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a","name":"https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-21705","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21705","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b7bb71dfb541df376c21c24451369fea83c4f327 73e268b4be27b36ae68ea10755cb003f43b38884 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2b2ae3925b65070adb27d5a31a31c376f26dec7 0263fb2e7b7b88075a5d86e74c4384ee4400828d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2b2ae3925b65070adb27d5a31a31c376f26dec7 84ac44d9fed3a56440971cbd7600a02b70b5b32a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2b2ae3925b65070adb27d5a31a31c376f26dec7 6ec806762318a4adde0ea63342d42d0feae95079 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2b2ae3925b65070adb27d5a31a31c376f26dec7 619af16b3b57a3a4ee50b9a30add9ff155541e71 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9c998d59a6b1359ad43d1ef38538af5f55fd01a2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.36 6.1.129 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.3.10 6.4 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.4","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.4 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.129 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.76 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.13 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13.2 6.13.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"21705","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-03T19:35:56.220Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T12:39:45.152Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/mptcp/protocol.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"73e268b4be27b36ae68ea10755cb003f43b38884","status":"affected","version":"b7bb71dfb541df376c21c24451369fea83c4f327","versionType":"git"},{"lessThan":"0263fb2e7b7b88075a5d86e74c4384ee4400828d","status":"affected","version":"c2b2ae3925b65070adb27d5a31a31c376f26dec7","versionType":"git"},{"lessThan":"84ac44d9fed3a56440971cbd7600a02b70b5b32a","status":"affected","version":"c2b2ae3925b65070adb27d5a31a31c376f26dec7","versionType":"git"},{"lessThan":"6ec806762318a4adde0ea63342d42d0feae95079","status":"affected","version":"c2b2ae3925b65070adb27d5a31a31c376f26dec7","versionType":"git"},{"lessThan":"619af16b3b57a3a4ee50b9a30add9ff155541e71","status":"affected","version":"c2b2ae3925b65070adb27d5a31a31c376f26dec7","versionType":"git"},{"status":"affected","version":"9c998d59a6b1359ad43d1ef38538af5f55fd01a2","versionType":"git"},{"lessThan":"6.1.129","status":"affected","version":"6.1.36","versionType":"semver"},{"lessThan":"6.4","status":"affected","version":"6.3.10","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/mptcp/protocol.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.4"},{"lessThan":"6.4","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.129","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.76","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.13","versionType":"semver"},{"lessThanOrEqual":"6.13.*","status":"unaffected","version":"6.13.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.14","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.129","versionStartIncluding":"6.1.36","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.76","versionStartIncluding":"6.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.13","versionStartIncluding":"6.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.13.2","versionStartIncluding":"6.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.14","versionStartIncluding":"6.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n  WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n  RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n  RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n  RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n  R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n  R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n  FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n   mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n   release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n   inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n   __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n   mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n   mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f6e86ebfe69\n  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n  RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n  RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n  R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n   </TASK>\n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out."}],"providerMetadata":{"dateUpdated":"2026-05-23T15:56:58.101Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/73e268b4be27b36ae68ea10755cb003f43b38884"},{"url":"https://git.kernel.org/stable/c/0263fb2e7b7b88075a5d86e74c4384ee4400828d"},{"url":"https://git.kernel.org/stable/c/84ac44d9fed3a56440971cbd7600a02b70b5b32a"},{"url":"https://git.kernel.org/stable/c/6ec806762318a4adde0ea63342d42d0feae95079"},{"url":"https://git.kernel.org/stable/c/619af16b3b57a3a4ee50b9a30add9ff155541e71"}],"title":"mptcp: handle fastopen disconnect correctly","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-21705","datePublished":"2025-02-27T02:07:19.764Z","dateReserved":"2024-12-29T08:45:45.751Z","dateUpdated":"2026-07-14T12:39:45.152Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-02-27 02:15:14","lastModifiedDate":"2026-07-14 13:17:21","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.36","versionEndExcluding":"6.1.129","matchCriteriaId":"2DA4AF38-31CA-4EA1-AC07-0F65CA8BDF3B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3.10","versionEndExcluding":"6.4","matchCriteriaId":"3E002324-2B5E-4373-A29E-1D5D0FC97F6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.1","versionEndExcluding":"6.6.76","matchCriteriaId":"094F1794-9AD3-4E2C-9D58-3E59D00EA511"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.13","matchCriteriaId":"2897389C-A8C3-4D69-90F2-E701B3D66373"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.2","matchCriteriaId":"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*","matchCriteriaId":"DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"21705","Ordinal":"1","Title":"mptcp: handle fastopen disconnect correctly","CVE":"CVE-2025-21705","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"21705","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n  WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n  RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n  Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n  RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n  RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n  R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n  R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n  FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n   mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n   release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n   inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n   __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n   mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n   mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f6e86ebfe69\n  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n  RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n  RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n  R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n   </TASK>\n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out.","Type":"Description","Title":"mptcp: handle fastopen disconnect correctly"}]}}}