AZL-66593

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66593.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-66593

Upstream

CVE-2025-38618

Published

2025-08-22T14:15:46Z

Modified

2026-04-01T05:21:00.465737Z

Summary

CVE-2025-38618 affecting package kernel for versions less than 6.6.104.2-1

Details

In the Linux kernel, the following vulnerability has been resolved:

vsock: Do not allow binding to VMADDRPORTANY

It is possible for a vsock to autobind to VMADDRPORTANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDRPORTANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction).

Modify the check in __vsockbindconnectible() to also prevent binding to VMADDRPORTANY.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38618

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.104.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66593.json"