CVE-2025-71126 Overview
CVE-2025-71126 is a deadlock vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation. The vulnerability occurs during fallback operations when the packet scheduler attempts a reinjection after receiving an MP_FAIL signal but before the infinite map has been transmitted. This creates a recursive locking scenario that results in a kernel deadlock, causing system unresponsiveness.
Critical Impact
This vulnerability can cause a complete system deadlock when MPTCP connections attempt fallback during packet reinjection, potentially leading to denial of service conditions on affected Linux systems.
Affected Products
- Linux Kernel with MPTCP support enabled
- Linux Kernel versions 6.18.0-rc7 and potentially other versions with MPTCP functionality
- Systems utilizing Multipath TCP for network connections
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71126 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71126
Vulnerability Analysis
This deadlock vulnerability stems from improper lock handling in the MPTCP subsystem during fallback operations. The issue manifests when the __mptcp_retrans function holds the fallback_lock and subsequently calls mptcp_sendmsg_frag, which attempts to acquire the same lock via __mptcp_try_fallback. This creates a recursive locking scenario where a single task attempts to acquire a lock it already holds, resulting in an unresolvable deadlock.
The kernel warning trace shows the mptcp_connect process (PID 20858) attempting to acquire &msk->fallback_lock while already holding it, with three locks held simultaneously: the main socket lock (sk_lock-AF_INET), a secondary socket lock (k-sk_lock-AF_INET#2), and the fallback lock itself. This locking order violation triggers the deadlock condition.
Root Cause
The root cause is a missing lock nesting consideration in the MPTCP fallback code path. When the packet scheduler attempts packet reinjection after receiving an MP_FAIL signal—but before the infinite map transmission completes—the code path enters a critical section that requires atomic execution with respect to the fallback mechanism. However, the existing implementation did not account for this specific scenario where reinjection could trigger a fallback attempt while already holding the fallback lock.
The vulnerability specifically affects the interaction between __mptcp_retrans (which acquires the fallback lock at offset 0x352) and __mptcp_try_fallback (which attempts to acquire the same lock at offset 0xd8), creating the only fallback critical section capable of sending packets and triggering the double-lock condition.
Attack Vector
The attack vector for this vulnerability is local, requiring the attacker to have the ability to initiate or manipulate MPTCP connections on the target system. The exploitation scenario involves:
- Establishing an MPTCP connection that supports fallback
- Triggering network conditions that cause an MP_FAIL signal to be received
- Causing packet reinjection to occur before the infinite map is transmitted
- The resulting deadlock causes the affected task to hang indefinitely
While this vulnerability is primarily a denial of service issue, the deadlock condition could affect system stability and availability. The fix explicitly avoids reinjection in the critical scenario, ensuring atomic execution of the fallback operation.
Detection Methods for CVE-2025-71126
Indicators of Compromise
- Kernel warning messages containing "possible recursive locking detected" with references to msk->fallback_lock
- System processes related to MPTCP connections (e.g., mptcp_connect) becoming unresponsive
- Kernel stack traces showing the call path through __mptcp_retrans → mptcp_sendmsg_frag → __mptcp_try_fallback
Detection Strategies
- Monitor kernel logs for deadlock warnings with MPTCP-related lock names such as fallback_lock
- Implement process monitoring to detect hung MPTCP-related kernel threads or user-space applications
- Deploy kernel-level tracing (ftrace/eBPF) to track lock acquisition patterns in the MPTCP subsystem
Monitoring Recommendations
- Enable kernel lockdep debugging on test systems to proactively detect similar locking issues
- Configure alerting on kernel warning messages containing "recursive locking" in production environments
- Monitor MPTCP connection statistics for anomalous fallback rates that could indicate exploitation attempts
How to Mitigate CVE-2025-71126
Immediate Actions Required
- Apply the latest kernel security patches that address this deadlock condition
- Consider disabling MPTCP functionality if not required until patches can be applied
- Monitor systems for signs of deadlock conditions and prepare for potential system restarts
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix explicitly prevents reinjection during the critical fallback scenario, eliminating the recursive locking condition. The following kernel commits contain the fix:
Workarounds
- Disable MPTCP support at the kernel level by setting net.mptcp.enabled=0 via sysctl
- Configure applications to use standard TCP instead of MPTCP where possible
- Implement network-level controls to prevent MPTCP negotiation on critical systems
# Disable MPTCP system-wide as a temporary workaround
sysctl -w net.mptcp.enabled=0
# Make the change persistent across reboots
echo "net.mptcp.enabled=0" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
