NVD

CVE-2025-21756 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

ADP: CISA-ADP

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b	Patch
https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197	Patch
https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8	Patch
https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e	Patch
https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c	Patch
https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173	Patch
https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	CISA-ADP

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Initial Analysis by NIST 3/24/2025 1:32:35 PM

Action	Type	New Value
Added	CPE Configuration	Record truncated, showing 500 of 677 characters. View Entire Change Record OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.13.4 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.79 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.16 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.11 up to (excluding) 5.15.179 cpe:2.3:o:linux:linux_kernel::::*:
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a Types: Patch

New CVE Received from kernel.org 2/26/2025 10:15:16 PM

Action	Type	New Value
Added	Description	Record truncated, showing 500 of 2811 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if
Added	Reference	https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
Added	Reference	https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
Added	Reference	https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
Added	Reference	https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a

Quick Info

CVE Dictionary Entry:
CVE-2025-21756
NVD Published Date:
02/26/2025
NVD Last Modified:
03/24/2025
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-21756 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Initial Analysis by NIST 3/24/2025 1:32:35 PM

CVE Modified by kernel.org 3/13/2025 9:15:52 AM

CVE Modified by CISA-ADP 2/27/2025 2:15:50 PM

New CVE Received from kernel.org 2/26/2025 10:15:16 PM

Quick Info