{"id":"CVE-2025-40258","summary":"mptcp: fix race condition in mptcp_schedule_work()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B]     sock_hold(sk);\n        return true;\n    }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n    sock_hold(sk);\n    if (schedule_work(...))\n        return true;\n    sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n  __refcount_inc include/linux/refcount.h:366 [inline]\n  refcount_inc include/linux/refcount.h:383 [inline]\n  sock_hold include/net/sock.h:816 [inline]\n  mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n  mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n  call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n  expire_timers kernel/time/timer.c:1798 [inline]\n  __run_timers kernel/time/timer.c:2372 [inline]\n  __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n  run_timer_base kernel/time/timer.c:2393 [inline]\n  run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n  handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n  __do_softirq kernel/softirq.c:656 [inline]\n  run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n  smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n  kthread+0x711/0x8a0 kernel/kthread.c:463\n  ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245","modified":"2026-04-16T04:31:45.385379282Z","published":"2025-12-04T16:08:19.176Z","related":["ALSA-2026:1143","ALSA-2026:1661","ALSA-2026:1662","ALSA-2026:1690","SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:0939-1","SUSE-SU-2026:0940-1","SUSE-SU-2026:0941-1","SUSE-SU-2026:0943-1","SUSE-SU-2026:0944-1","SUSE-SU-2026:0946-1","SUSE-SU-2026:0951-1","SUSE-SU-2026:0983-1","SUSE-SU-2026:0985-1","SUSE-SU-2026:0992-1","SUSE-SU-2026:0997-1","SUSE-SU-2026:1000-1","SUSE-SU-2026:1002-1","SUSE-SU-2026:1039-1","SUSE-SU-2026:1046-1","SUSE-SU-2026:1048-1","SUSE-SU-2026:1049-1","SUSE-SU-2026:1073-1","SUSE-SU-2026:1083-1","SUSE-SU-2026:1089-1","SUSE-SU-2026:1096-1","SUSE-SU-2026:1099-1","SUSE-SU-2026:1100-1","SUSE-SU-2026:1101-1","SUSE-SU-2026:1125-1","SUSE-SU-2026:1132-1","SUSE-SU-2026:1136-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20828-1","SUSE-SU-2026:20829-1","SUSE-SU-2026:20831-1","SUSE-SU-2026:20832-1","SUSE-SU-2026:20837-1","SUSE-SU-2026:20840-1","SUSE-SU-2026:20841-1","SUSE-SU-2026:20842-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20847-1","SUSE-SU-2026:20848-1","SUSE-SU-2026:20849-1","SUSE-SU-2026:20850-1","SUSE-SU-2026:20851-1","SUSE-SU-2026:20852-1","SUSE-SU-2026:20853-1","SUSE-SU-2026:20854-1","SUSE-SU-2026:20855-1","SUSE-SU-2026:20856-1","SUSE-SU-2026:20857-1","SUSE-SU-2026:20858-1","SUSE-SU-2026:20859-1","SUSE-SU-2026:20860-1","SUSE-SU-2026:20861-1","SUSE-SU-2026:20862-1","SUSE-SU-2026:20863-1","SUSE-SU-2026:20864-1","SUSE-SU-2026:20865-1","SUSE-SU-2026:20866-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20880-1","SUSE-SU-2026:20881-1","SUSE-SU-2026:20882-1","SUSE-SU-2026:20883-1","SUSE-SU-2026:20884-1","SUSE-SU-2026:20885-1","SUSE-SU-2026:20886-1","SUSE-SU-2026:20887-1","SUSE-SU-2026:20888-1","SUSE-SU-2026:20889-1","SUSE-SU-2026:20891-1","SUSE-SU-2026:20892-1","SUSE-SU-2026:20893-1","SUSE-SU-2026:20894-1","SUSE-SU-2026:20895-1","SUSE-SU-2026:20896-1","SUSE-SU-2026:20897-1","SUSE-SU-2026:20898-1","SUSE-SU-2026:20899-1","SUSE-SU-2026:20900-1","SUSE-SU-2026:20944-1","SUSE-SU-2026:20945-1","SUSE-SU-2026:20946-1","SUSE-SU-2026:20947-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40258.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40258.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40258"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3b1d6210a9577369103330b0d802b0bf74b65e7f"},{"fixed":"f865e6595acf33083168db76921e66ace8bf0e5b"},{"fixed":"99908e2d601236842d705d5fd04fb349577316f5"},{"fixed":"db4f7968a75250ca6c4ed70d0a78beabb2dcee18"},{"fixed":"8f9ba1a99a89feef9b5867c15a0141a97e893309"},{"fixed":"ac28dfddedf6f209190950fc71bcff65ec4ab47b"},{"fixed":"3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"},{"fixed":"035bca3f017ee9dea3a5a756e77a6f7138cc6eea"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40258.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.118"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.60"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40258.json"}}],"schema_version":"1.7.5"}