CVE intelligence and bounded remediation
CVE-2025-21706 — Linux Linux Kernel security vulnerability
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before. That's what syzbot found, triggering the following warning: WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine…
- Severity
- Medium
- CVSS
- 5.5 (3.1)
- Published
- 2025-02-27
- CISA KEV
- Not currently listed
- Ecosystem
- linux/kernel
Affected products
- linux / linux_kernel
Matched remediation archetype
General vulnerability remediation
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Confirm the affected component, deployment paths, reachable interfaces, and enabled features from inventories and configuration, without probing production destructively.
- Compare the advisory's affected conditions with the repository lockfiles, build manifests, artifacts, and runtime inventory.
- Identify data sensitivity, trust boundaries, and privilege level for every confirmed affected deployment.
Remediate safely
- Apply a vendor-supported fix or remove the affected component or feature; record the selected change and its source in the repository.
- Update direct and transitive dependency locks, generated artifacts, deployment manifests, and asset inventories together.
- Add a regression test for the documented unsafe condition using inert inputs and preserve rollback instructions.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.