CVE-2025-71088 Overview
CVE-2025-71088 is a race condition vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation. The vulnerability occurs during simultaneous connection handling where a TCP subflow can process a SYN-ACK packet after transitioning to the TCP_FIN_WAIT1 state, bypassing critical MPTCP fallback checks. This race condition leads to an inconsistent socket state, which can cause kernel warnings and potential system instability when subsequent data packets are received.
Critical Impact
This race condition can cause the MPTCP socket to enter an inconsistent state, triggering kernel warnings and potentially impacting network connection handling on affected Linux systems.
Affected Products
- Linux Kernel with MPTCP support enabled
- Systems using IPv4/IPv6 TCP connections with MPTCP subflows
- Kernel versions prior to the security patches referenced in c9bf315228, 79f80a7a47, 71154bbe49, 25f1ae942, and b5f46a0826 commits
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71088 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71088
Vulnerability Analysis
The vulnerability resides in the MPTCP subflow handling code within net/mptcp/subflow.c. During a simultaneous connection scenario, a race condition can occur between the TCP state transition and MPTCP fallback status checks. Specifically, when the sk_state_change() callback is not invoked for transitions to the FIN_WAIT1 state, the MPTCP fallback check is bypassed.
The kernel warning triggered at subflow_data_ready+0x40b/0x7c0 in net/mptcp/subflow.c:1515 indicates that the subflow's data ready handler encounters an unexpected state. The call trace shows the issue manifesting through the TCP receive path (tcp_data_queue → tcp_rcv_state_process → tcp_v6_do_rcv), ultimately affecting both IPv4 and IPv6 network stacks.
The inconsistent fallback status means the MPTCP socket (msk) moves to an invalid state, and any subsequent incoming data will trigger the kernel warning, potentially disrupting network operations.
Root Cause
The root cause is a missing fallback check during the TCP state transition from the initial connection state to FIN_WAIT1. The TCP subflow can process a simultaneous connection SYN-ACK packet during this state transition window, which bypasses the MPTCP fallback validation that would normally be performed via the sk_state_change() callback. This creates a time-of-check-time-of-use (TOCTOU) style race where the fallback status becomes inconsistent with the actual connection state.
Attack Vector
An attacker or adverse network conditions could potentially trigger this race condition through:
- Simultaneous Connection Scenarios: Initiating multiple TCP connections that trigger the MPTCP subflow handling paths concurrently
- Network Timing Manipulation: Crafting network conditions where SYN-ACK packets arrive during specific TCP state transitions
- Denial of Service: Repeatedly triggering the race condition to cause kernel warnings and system instability
The vulnerability was discovered by Syzkaller, indicating it can be triggered through automated fuzzing of the kernel's network stack. The fix moves the simultaneous-fallback check to the earliest possible stage—at SYN-ACK generation time—to prevent the race from occurring.
Detection Methods for CVE-2025-71088
Indicators of Compromise
- Kernel warning messages containing subflow_data_ready and references to net/mptcp/subflow.c:1515
- System log entries showing CPU warnings related to MPTCP connection handling
- Unexpected network connection failures or resets on systems with MPTCP enabled
- Stack traces in dmesg or kernel logs showing the tcp_data_queue → subflow_data_ready call path
Detection Strategies
- Monitor kernel logs for WARNING messages originating from the MPTCP subsystem
- Implement syslog alerting for patterns matching net/mptcp/subflow.c warning messages
- Use kernel tracing tools (ftrace, eBPF) to monitor MPTCP state transitions for anomalies
- Deploy intrusion detection rules to identify abnormal TCP connection patterns that may trigger simultaneous connection races
Monitoring Recommendations
- Enable kernel message monitoring with alerts for MPTCP-related warnings
- Track network socket statistics for unexpected connection state transitions
- Monitor system stability metrics for kernel soft lockups or increased CPU usage in ksoftirqd
- Review network traffic patterns for unusual simultaneous connection attempts
How to Mitigate CVE-2025-71088
Immediate Actions Required
- Update the Linux kernel to a patched version containing the security fix
- Disable MPTCP if not required for business operations using sysctl net.mptcp.enabled=0
- Monitor systems for kernel warnings indicating exploitation attempts
- Review network configurations to identify systems with MPTCP enabled
Patch Information
The vulnerability has been addressed through multiple kernel commits that move the simultaneous-fallback check to the SYN-ACK generation stage. The following patches are available:
- Kernel Git Commit c9bf315228
- Kernel Git Commit 79f80a7a47
- Kernel Git Commit 71154bbe49
- Kernel Git Commit 25f1ae942
- Kernel Git Commit b5f46a0826
System administrators should apply the appropriate patch based on their kernel version. The patches are designed to be backported to earlier kernel versions as noted in the commit message.
Workarounds
- Disable MPTCP on systems where it is not required using sysctl configuration
- Implement network-level controls to limit simultaneous connection scenarios
- Use firewall rules to rate-limit incoming TCP connection attempts
- Monitor and restart affected services if kernel warnings are observed
# Disable MPTCP as a temporary workaround
echo 0 > /proc/sys/net/mptcp/enabled
# Or add to sysctl.conf for persistent configuration
echo "net.mptcp.enabled = 0" >> /etc/sysctl.conf
sysctl -p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
