{"api_version":"1","generated_at":"2026-07-15T18:56:34+00:00","cve":"CVE-2025-21706","urls":{"html":"https://cve.report/CVE-2025-21706","api":"https://cve.report/api/cve/CVE-2025-21706.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-21706","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-21706"},"summary":{"title":"mptcp: pm: only set fullmesh for subflow endp","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the 'fullmesh'\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n'subflow' endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed 'implicit' endpoints to get the 'fullmesh' flag while it is not\nallowed before.\n\nThat's what syzbot found, triggering the following warning:\n\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n  RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n  RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n  R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n  R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n  FS:  00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n   netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f5fe8785d29\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n  RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n  RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2025-02-27 02:15:14","updated_at":"2026-07-14 13:17:21"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb","name":"https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc","name":"https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1","name":"https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6","name":"https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2","name":"https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-21706","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21706","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73c762c1f07dacba4fd1cefd15e24b419d42320d 22b0734c9401a74ed4ebd9e8ef0da33e493852eb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73c762c1f07dacba4fd1cefd15e24b419d42320d de3b8d41d2547452c4cafb146d003fa4689fbaf2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73c762c1f07dacba4fd1cefd15e24b419d42320d 8ac344cbd84fda75e05e1f445f7f8fb24dc175e1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73c762c1f07dacba4fd1cefd15e24b419d42320d 9e3d61620a3cd033319553b980ff3a350adbe1bc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73c762c1f07dacba4fd1cefd15e24b419d42320d 1bb0d1348546ad059f55c93def34e67cb2a034a6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.18","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.18 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.129 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.78 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.13 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13.2 6.13.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"21706","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-03T19:35:57.608Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T12:39:46.492Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/mptcp/pm_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"22b0734c9401a74ed4ebd9e8ef0da33e493852eb","status":"affected","version":"73c762c1f07dacba4fd1cefd15e24b419d42320d","versionType":"git"},{"lessThan":"de3b8d41d2547452c4cafb146d003fa4689fbaf2","status":"affected","version":"73c762c1f07dacba4fd1cefd15e24b419d42320d","versionType":"git"},{"lessThan":"8ac344cbd84fda75e05e1f445f7f8fb24dc175e1","status":"affected","version":"73c762c1f07dacba4fd1cefd15e24b419d42320d","versionType":"git"},{"lessThan":"9e3d61620a3cd033319553b980ff3a350adbe1bc","status":"affected","version":"73c762c1f07dacba4fd1cefd15e24b419d42320d","versionType":"git"},{"lessThan":"1bb0d1348546ad059f55c93def34e67cb2a034a6","status":"affected","version":"73c762c1f07dacba4fd1cefd15e24b419d42320d","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/mptcp/pm_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.18"},{"lessThan":"5.18","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.129","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.78","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.13","versionType":"semver"},{"lessThanOrEqual":"6.13.*","status":"unaffected","version":"6.13.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.14","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.129","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.78","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.13","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.13.2","versionStartIncluding":"5.18","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.14","versionStartIncluding":"5.18","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the 'fullmesh'\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n'subflow' endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed 'implicit' endpoints to get the 'fullmesh' flag while it is not\nallowed before.\n\nThat's what syzbot found, triggering the following warning:\n\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n  RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n  RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n  R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n  R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n  FS:  00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n   netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f5fe8785d29\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n  RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n  RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T21:04:49.949Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/22b0734c9401a74ed4ebd9e8ef0da33e493852eb"},{"url":"https://git.kernel.org/stable/c/de3b8d41d2547452c4cafb146d003fa4689fbaf2"},{"url":"https://git.kernel.org/stable/c/8ac344cbd84fda75e05e1f445f7f8fb24dc175e1"},{"url":"https://git.kernel.org/stable/c/9e3d61620a3cd033319553b980ff3a350adbe1bc"},{"url":"https://git.kernel.org/stable/c/1bb0d1348546ad059f55c93def34e67cb2a034a6"}],"title":"mptcp: pm: only set fullmesh for subflow endp","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-21706","datePublished":"2025-02-27T02:07:20.458Z","dateReserved":"2024-12-29T08:45:45.751Z","dateUpdated":"2026-07-14T12:39:46.492Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-02-27 02:15:14","lastModifiedDate":"2026-07-14 13:17:21","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.129","matchCriteriaId":"F97600FD-25BD-4A8A-A64D-C51ED328C14E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.78","matchCriteriaId":"0C58261F-EDFB-4A12-8CCD-F12101482030"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.13","matchCriteriaId":"2897389C-A8C3-4D69-90F2-E701B3D66373"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.2","matchCriteriaId":"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"21706","Ordinal":"1","Title":"mptcp: pm: only set fullmesh for subflow endp","CVE":"CVE-2025-21706","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"21706","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the 'fullmesh'\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n'subflow' endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed 'implicit' endpoints to get the 'fullmesh' flag while it is not\nallowed before.\n\nThat's what syzbot found, triggering the following warning:\n\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n  RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n  RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n  RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n  Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n  RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n  RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n  R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n  R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n  FS:  00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n   netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n   sock_sendmsg_nosec net/socket.c:711 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:726\n   ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n   ___sys_sendmsg net/socket.c:2637 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2669\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f5fe8785d29\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n  RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n  RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---","Type":"Description","Title":"mptcp: pm: only set fullmesh for subflow endp"}]}}}