vsock: Use-after-free in Linux kernel vsock (CVE-2025-21756) (CVE-2025-21756) #shorts

Summary

CVE-2025-21756 is a high-severity memory corruption flaw in the Linux kernel vsock subsystem. A use-after-free condition during socket bind and transport release operations could be triggered by a local attacker, leading to potential denial of service or privilege escalation. The issue was publicly disclosed in February 2025 and resolved in kernel 6.14 and later.

Product details

Affected are Linux kernel mainline versions beginning with commit c0cfa2d8a (in 5.5) up to versions before the fixes backported into the 5.10, 5.15, 6.1, 6.6, 6.12 and 6.13 stable trees. Distributions shipping kernels earlier than 6.14 (or patched stable branches) are vulnerable. The fix is included in official 6.14 releases and recent stable updates.

Vulnerability type summary

This is a use-after-free vulnerability caused by improper management of socket refcounts in the vsock implementation. The kernel fails to preserve binding state during a transport reassignment, leading to premature object release, refcount underflow and potential memory corruption under KASAN.

Details of the vulnerability

When a vsock is created it is placed on an unbound list and its reference count is incremented. During a transport release, the code erroneously calls vsock_remove_bound without checking if the socket had already been moved to the bound list. A subsequent vsock_bind invocation then calls __vsock_remove_bound again, freeing the socket object. A following list_del_init is a no-op, so the refcount hits zero and the object is reused while still referenced. Under KASAN this is flagged as slab use-after-free, but in production builds it could corrupt memory, crash the system, or be leveraged for local privilege escalation.

Conclusion

Administrators should upgrade to Linux kernel 6.14 or apply the backported patches in their stable branch. Containers or workloads relying on vsock (e.g., virtualization, VM guest/host communication) should be prioritized. Regularly tracking distribution security advisories and maintaining patched kernels will mitigate this and similar memory-safety flaws.

Watch the full video on YouTube: CVE-2025-21756

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-21756
Description
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Provider
Linux
CWE / problem types
Affected Software Versions
Linux:Linux:[{'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': 'e7754d564579a5db9c5c9f74228df5d6dd6f1173', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': 'e48fcb403c2d0e574c19683f09399ab4cf67809c', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': '42b33381e5e1f2b967dc4fb4221ddb9aaf10d197', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': '3f43540166128951cc1be7ab1ce6b7f05c670d8b', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': '645ce25aa0e67895b11d89f27bb86c9d444c40f8', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': 'b1afd40321f1c243cffbcf40ea7ca41aca87fa5e', 'status': 'affected', 'versionType': 'git'}, {'version': 'c0cfa2d8a788fcf45df5bf4070ab2474c88d543a', 'lessThan': 'fcdd2242c0231032fc84e1404315c245ae56322a', 'status': 'affected', 'versionType': 'git'}],Linux:Linux:[{'version': '5.5', 'status': 'affected'}, {'version': '0', 'lessThan': '5.5', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.10.235', 'lessThanOrEqual': '5.10.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.15.179', 'lessThanOrEqual': '5.15.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.1.131', 'lessThanOrEqual': '6.1.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.6.79', 'lessThanOrEqual': '6.6.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.12.16', 'lessThanOrEqual': '6.12.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.13.4', 'lessThanOrEqual': '6.13.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.14', 'lessThanOrEqual': '*', 'status': 'unaffected', 'versionType': 'original_commit_for_fix'}]
Date Published
2025-02-27T02:18:11.547Z
Last Updated
2025-05-04T07:20:28.873Z