CVE-2025-21707

Summary

CVE-2025-21707 is a vulnerability affecting the Linux kernel's Multipath TCP (MPTCP) implementation. The issue lies in the way MPTCP handles received suboptions and their associated status bitmasks. Zeroing the bitmask before parsing is not sufficient to ensure a consistent status, leaving some bitfields uninitialized or not cleared. This weakness was exploited by syzbot, leading to uninitialized value errors in several functions, including __mptcp_expand_seq, mptcp_expand_seq, ack_update_msk, and mptcp_incoming_options. These bugs were found in net/mptcp/options.c and net/mptcp/protocol.h files, and they impacted multiple network stack components, including tcp_data_queue, tcp_rcv_established, ip_local_deliver, and others. Successful exploitation of this vulnerability could result in denial of service or other unintended behavior.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.