CVE-2025-21756
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-02-27 18:22
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a
Impacted products
Vendor Product Version
Linux Linux Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Version: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
 Create a notification for this product.
   Linux Linux Version: 5.5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21756",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:19.138873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f43540166128951cc1be7ab1ce6b7f05c670d8b",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "645ce25aa0e67895b11d89f27bb86c9d444c40f8",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "b1afd40321f1c243cffbcf40ea7ca41aca87fa5e",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "fcdd2242c0231032fc84e1404315c245ae56322a",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Keep the binding until socket destruction\n\nPreserve sockets bindings; this includes both resulting from an explicit\nbind() and those implicitly bound through autobind during connect().\n\nPrevents socket unbinding during a transport reassignment, which fixes a\nuse-after-free:\n\n    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\n    2. transport-\u003erelease() calls vsock_remove_bound() without checking if\n       sk was bound and moved to bound list (refcnt=1)\n    3. vsock_bind() assumes sk is in unbound list and before\n       __vsock_insert_bound(vsock_bound_sockets()) calls\n       __vsock_remove_bound() which does:\n           list_del_init(\u0026vsk-\u003ebound_table); // nop\n           sock_put(\u0026vsk-\u003esk);               // refcnt=0\n\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n __vsock_bind+0x62e/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n __vsock_create.constprop.0+0x2e/0xb60\n vsock_create+0xe4/0x420\n __sock_create+0x241/0x650\n __sys_socket+0xf2/0x1a0\n __x64_sys_socket+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n __vsock_bind+0x5e1/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\nRIP: 0010:refcount_warn_saturate+0xce/0x150\n __vsock_bind+0x66d/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\nRIP: 0010:refcount_warn_saturate+0xee/0x150\n vsock_remove_bound+0x187/0x1e0\n __vsock_release+0x383/0x4a0\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x359/0xa80\n task_work_run+0x107/0x1d0\n do_exit+0x847/0x2560\n do_group_exit+0xb8/0x250\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0xfec/0x14f0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-27T02:18:11.547Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a"
        }
      ],
      "title": "vsock: Keep the binding until socket destruction",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21756",
    "datePublished": "2025-02-27T02:18:11.547Z",
    "dateReserved": "2024-12-29T08:45:45.760Z",
    "dateUpdated": "2025-02-27T18:22:29.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21756\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:16.250\",\"lastModified\":\"2025-02-27T19:15:50.513\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvsock: Keep the binding until socket destruction\\n\\nPreserve sockets bindings; this includes both resulting from an explicit\\nbind() and those implicitly bound through autobind during connect().\\n\\nPrevents socket unbinding during a transport reassignment, which fixes a\\nuse-after-free:\\n\\n    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\\n    2. transport-\u003erelease() calls vsock_remove_bound() without checking if\\n       sk was bound and moved to bound list (refcnt=1)\\n    3. vsock_bind() assumes sk is in unbound list and before\\n       __vsock_insert_bound(vsock_bound_sockets()) calls\\n       __vsock_remove_bound() which does:\\n           list_del_init(\u0026vsk-\u003ebound_table); // nop\\n           sock_put(\u0026vsk-\u003esk);               // refcnt=0\\n\\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\\n dump_stack_lvl+0x68/0x90\\n print_report+0x174/0x4f6\\n kasan_report+0xb9/0x190\\n __vsock_bind+0x62e/0x730\\n vsock_bind+0x97/0xe0\\n __sys_bind+0x154/0x1f0\\n __x64_sys_bind+0x6e/0xb0\\n do_syscall_64+0x93/0x1b0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nAllocated by task 2057:\\n kasan_save_stack+0x1e/0x40\\n kasan_save_track+0x10/0x30\\n __kasan_slab_alloc+0x85/0x90\\n kmem_cache_alloc_noprof+0x131/0x450\\n sk_prot_alloc+0x5b/0x220\\n sk_alloc+0x2c/0x870\\n __vsock_create.constprop.0+0x2e/0xb60\\n vsock_create+0xe4/0x420\\n __sock_create+0x241/0x650\\n __sys_socket+0xf2/0x1a0\\n __x64_sys_socket+0x6e/0xb0\\n do_syscall_64+0x93/0x1b0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nFreed by task 2057:\\n kasan_save_stack+0x1e/0x40\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x37/0x60\\n __kasan_slab_free+0x4b/0x70\\n kmem_cache_free+0x1a1/0x590\\n __sk_destruct+0x388/0x5a0\\n __vsock_bind+0x5e1/0x730\\n vsock_bind+0x97/0xe0\\n __sys_bind+0x154/0x1f0\\n __x64_sys_bind+0x6e/0xb0\\n do_syscall_64+0x93/0x1b0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\\nRIP: 0010:refcount_warn_saturate+0xce/0x150\\n __vsock_bind+0x66d/0x730\\n vsock_bind+0x97/0xe0\\n __sys_bind+0x154/0x1f0\\n __x64_sys_bind+0x6e/0xb0\\n do_syscall_64+0x93/0x1b0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nrefcount_t: underflow; use-after-free.\\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\\nRIP: 0010:refcount_warn_saturate+0xee/0x150\\n vsock_remove_bound+0x187/0x1e0\\n __vsock_release+0x383/0x4a0\\n vsock_release+0x90/0x120\\n __sock_release+0xa3/0x250\\n sock_close+0x14/0x20\\n __fput+0x359/0xa80\\n task_work_run+0x107/0x1d0\\n do_exit+0x847/0x2560\\n do_group_exit+0xb8/0x250\\n __x64_sys_exit_group+0x3a/0x50\\n x64_sys_call+0xfec/0x14f0\\n do_syscall_64+0x93/0x1b0\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.