{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mptcp: fix race condition in mptcp_schedule_work()",
    "id" : "2418876",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2418876"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: fix race condition in mptcp_schedule_work()\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk->sk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n[A] if (schedule_work(...)) {\n[B]     sock_hold(sk);\nreturn true;\n}\nProblem is that mptcp_worker() can run immediately and complete before [B]\nWe need instead :\nsock_hold(sk);\nif (schedule_work(...))\nreturn true;\nsock_put(sk);\n[1]\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n<TASK>\n__refcount_add include/linux/refcount.h:-1 [inline]\n__refcount_inc include/linux/refcount.h:366 [inline]\nrefcount_inc include/linux/refcount.h:383 [inline]\nsock_hold include/net/sock.h:816 [inline]\nmptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\nmptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\ncall_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\nexpire_timers kernel/time/timer.c:1798 [inline]\n__run_timers kernel/time/timer.c:2372 [inline]\n__run_timer_base+0x648/0x970 kernel/time/timer.c:2384\nrun_timer_base kernel/time/timer.c:2393 [inline]\nrun_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\nhandle_softirqs+0x22f/0x710 kernel/softirq.c:622\n__do_softirq kernel/softirq.c:656 [inline]\nrun_ktimerd+0xcf/0x190 kernel/softirq.c:1138\nsmpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\nkthread+0x711/0x8a0 kernel/kthread.c:463\nret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245", "A race in mptcp_schedule_work() could lead to a use-after-free: the function queued work and only then acquired a reference to the socket. If the worker ran to completion immediately, the subsequent sock_hold() operated on a freed object. Impact ranges from kernel crash (DoS) to potential privilege escalation for a local user able to create MPTCP sockets." ],
  "statement" : "By default, the MPTCP support is disabled in RHEL. This bug is only applicable if enabled.\nThe MPTCP disabled by default (in Red Hat Enterprise Linux or Fedora). Particular this CVE looks higher severity, because could lead to privileges escalation potentially. The MPTCP is networking protocol (so if enabled by root, then potentially could be triggered). The protocol alive and being used in some scenarios, but known to be not safe enough to be enabled by default (need to use it with care taking in mind CVEs like this). There is one more similar previous CVE (one or two weeks ago) that is also MPTCP, but less danger that is CVE-2024-53122",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1690",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.31.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1727",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.58.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1661",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.100.1.rt7.441.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.100.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2490",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.179.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2490",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.179.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2490",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.179.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2535",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.128.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2535",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.128.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-28T00:00:00Z",
    "advisory" : "RHSA-2026:1494",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.163.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-28T00:00:00Z",
    "advisory" : "RHSA-2026:1495",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.163.1.rt21.235.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2560",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.156.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2583",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.156.1.rt14.441.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-01-28T00:00:00Z",
    "advisory" : "RHSA-2026:1444",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.108.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1194",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.81.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40258\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40258\nhttps://lore.kernel.org/linux-cve-announce/2025120433-CVE-2025-40258-d10d@gregkh/T" ],
  "name" : "CVE-2025-40258",
  "mitigation" : {
    "value" : "If enabled, you may disable MPTCP support. For more information please read https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-multipath-tcp_configuring-and-managing-networking#preparing-rhel-to-enable-mptcp-support_getting-started-with-multipath-tcp",
    "lang" : "en:us"
  },
  "csaw" : false
}