Wiz
Vulnerability DatabaseCVE-2025-40258

CVE-2025-40258
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix race condition in mptcpschedulework()

syzbot reported use-after-free in mptcpschedulework() [1]

Issue here is that mptcpschedulework() schedules a work, then gets a refcount on sk->skrefcnt if the work was scheduled. This refcount will be released by mptcpworker().

[A] if (schedulework(...)) { [B] sockhold(sk);

    return true;
}

Problem is that mptcp_worker() can run immediately and complete before [B]

We need instead :

sock_hold(sk);
if (schedule_work(...))
    return true;
sock_put(sk);

[1] refcountt: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcountwarnsaturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: _refcountadd include/linux/refcount.h:-1 [inline] _refcountinc include/linux/refcount.h:366 [inline] refcountinc include/linux/refcount.h:383 [inline] sockhold include/net/sock.h:816 [inline] mptcpschedulework+0x164/0x1a0 net/mptcp/protocol.c:943 mptcptouttimer+0x21/0xa0 net/mptcp/protocol.c:2316 calltimerfn+0x17e/0x5f0 kernel/time/timer.c:1747 expiretimers kernel/time/timer.c:1798 [inline] run_timers kernel/time/timer.c:2372 [inline] runtimerbase+0x648/0x970 kernel/time/timer.c:2384 runtimerbase kernel/time/timer.c:2393 [inline] runtimersoftirq+0xb7/0x180 kernel/time/timer.c:2403 handlesoftirqs+0x22f/0x710 kernel/softirq.c:622 _dosoftirq kernel/softirq.c:656 [inline] runktimerd+0xcf/0x190 kernel/softirq.c:1138 smpbootthreadfn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 retfromfork+0x4bc/0x870 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:245

SourceNVD

Related Linux Kernel vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-40344N/AN/A
  • Linux KernelLinux Kernel
  • kernel-rt-devel
NoYesDec 09, 2025
CVE-2025-40343N/AN/A
  • Linux KernelLinux Kernel
  • bpftool
NoYesDec 09, 2025
CVE-2025-40342N/AN/A
  • Linux KernelLinux Kernel
  • kernel-rt-trace
NoYesDec 09, 2025
CVE-2025-40341N/AN/A
  • Linux KernelLinux Kernel
  • kernel-headers
NoYesDec 09, 2025
CVE-2025-40340N/AN/A
  • Linux KernelLinux Kernel
  • kernel-rt-64k-debug-modules-extra
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo