CVE-2025-21669

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-21669
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21669.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21669
Downstream
Related
Published
2025-01-31T11:25:33.185Z
Modified
2026-05-15T11:53:53.827817346Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vsock/virtio: discard packets if the transport changes
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: discard packets if the transport changes

If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport.

A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find vsk->transport at NULL, leading to a NULL pointer dereference.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21669.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.234
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.177
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.127
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.74
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.11

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21669.json"