CVE-2025-38491
Public on 2025-07-28
Modified on 2025-10-16
Description
In the Linux kernel, the following vulnerability has been resolved:
mptcp: make fallback action and fallback decision atomic
CVE-2025-38491 addresses a race condition vulnerability in the Linux kernel's MPTCP (Multipath TCP) implementation. The issue relates to how fallback actions and decisions are handled in the MPTCP protocol. Weighing the tradeoffs between operational risk from doing this complex backport and the security impact of CVE-2025-38491, Amazon Linux will not provide a fix for the 5.10 and 5.15 kernels of Amazon Linux 2. Amazon Linux recommends customers to use Amazon Linux 2023.
mptcp: make fallback action and fallback decision atomic
CVE-2025-38491 addresses a race condition vulnerability in the Linux kernel's MPTCP (Multipath TCP) implementation. The issue relates to how fallback actions and decisions are handled in the MPTCP protocol. Weighing the tradeoffs between operational risk from doing this complex backport and the security impact of CVE-2025-38491, Amazon Linux will not provide a fix for the 5.10 and 5.15 kernels of Amazon Linux 2. Amazon Linux recommends customers to use Amazon Linux 2023.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | kernel | Not Affected | ||
| Amazon Linux 2 - Core | kernel | Not Affected | ||
| Amazon Linux 2 - Kernel-5.4 Extra | kernel | Not Affected | ||
| Amazon Linux 2 - Kernel-5.10 Extra | kernel | No Fix Planned | ||
| Amazon Linux 2 - Kernel-5.15 Extra | kernel | No Fix Planned | ||
| Amazon Linux 2023 | kernel | 2025-09-15 | ALAS2023-2025-1186 | Fixed |
| Amazon Linux 2023 | kernel6.12 | 2025-08-08 | ALAS2023-2025-1145 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |