[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-40258":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":33},"DEBIAN-CVE-2025-40258","In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix race condition in mptcp_schedule_work()  syzbot reported use-after-free in mptcp_schedule_work() [1]  Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker().  [A] if (schedule_work(...)) { [B]     sock_hold(sk);         return true;     }  Problem is that mptcp_worker() can run immediately and complete before [B]  We need instead :      sock_hold(sk);     if (schedule_work(...))         return true;     sock_put(sk);  [1] refcount_t: addition on 0; use-after-free.  WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace:  \u003CTASK>  __refcount_add include/linux/refcount.h:-1 [inline]   __refcount_inc include/linux/refcount.h:366 [inline]   refcount_inc include/linux/refcount.h:383 [inline]   sock_hold include/net/sock.h:816 [inline]   mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943   mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316   call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747   expire_timers kernel/time/timer.c:1798 [inline]   __run_timers kernel/time/timer.c:2372 [inline]   __run_timer_base+0x648/0x970 kernel/time/timer.c:2384   run_timer_base kernel/time/timer.c:2393 [inline]   run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403   handle_softirqs+0x22f/0x710 kernel/softirq.c:622   __do_softirq kernel/softirq.c:656 [inline]   run_ktimerd+0xcf/0x190 kernel/softirq.c:1138   smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160   kthread+0x711/0x8a0 kernel/kthread.c:463   ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245",null,[],[],[],[14],{"_key":15},"CVE-2025-40258",[],[],[],"2025-12-04T16:16:19.640Z","2026-04-28T20:30:09.635263Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2025-40258",[27],"osv_debian",[29],"Advisory",[],[],[],[34,55],{"ecosystem":35,"name":36,"vendor":37,"product":36,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":36,"source":9,"versions":39},"Debian","linux","debian","deb",[40,46,49,52],{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":44,"version_end_type":45,"fixed_in":9},"lt5_10_247_1",true,"ecosystem","5.10.247-1","excluding",{"version":47,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":48,"version_end_type":45,"fixed_in":9},"lt6_1_159_1","6.1.159-1",{"version":50,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":51,"version_end_type":45,"fixed_in":9},"lt6_12_63_1","6.12.63-1",{"version":53,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":45,"fixed_in":9},"lt6_17_10_1","6.17.10-1",{"ecosystem":35,"name":56,"vendor":37,"product":56,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":56,"source":9,"versions":57},"linux-6.1",[58],{"version":59,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":45,"fixed_in":9},"lt6_1_159_1~deb11u1","6.1.159-1~deb11u1"]