CVE-2025-21756

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-21756
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b Patch
https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197 Patch
https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8 Patch
https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e Patch
https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c Patch
https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173 Patch
https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a Patch
https://github.com/hoefler02/CVE-2025-21756/blob/main/x.c
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

30 Apr 2025, 14:15

Type Values Removed Values Added
References
  • () https://github.com/hoefler02/CVE-2025-21756/blob/main/x.c -

24 Mar 2025, 17:32

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b - () https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b - Patch
References () https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197 - () https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197 - Patch
References () https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8 - () https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8 - Patch
References () https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e - () https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e - Patch
References () https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c - () https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c - Patch
References () https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173 - () https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173 - Patch
References () https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a - () https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a - Patch
First Time Linux
Linux linux Kernel

13 Mar 2025, 13:15

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vsock: Mantener la vinculación hasta la destrucción del socket Preservar las vinculaciones de los sockets; esto incluye tanto las resultantes de un bind() explícito como las vinculadas implícitamente a través de autobind durante connect(). Evita la desvinculación de sockets durante una reasignación de transporte, lo que soluciona un use after free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
  • () https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197 -
  • () https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c -
  • () https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173 -

27 Feb 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CWE CWE-416

27 Feb 2025, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-27 03:15

Updated : 2025-04-30 14:15

NVD link : CVE-2025-21756

Mitre link : CVE-2025-21756

CVE.ORG link : CVE-2025-21756

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free