CVE-2025-21670

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21670
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21670.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21670
Downstream
Related
Published
2025-01-31T11:25:33Z
Modified
2025-10-17T21:02:41.707486Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vsock/bpf: return early if transport is not assigned
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock/bpf: return early if transport is not assigned

Some of the core functions can only be called if the transport has been assigned.

As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace:

BUG: kernel NULL pointer dereference, address: 00000000000000a0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
RIP: 0010:vsock_connectible_has_data+0x1f/0x40
Call Trace:
 vsock_bpf_recvmsg+0xca/0x5e0
 sock_recvmsg+0xb9/0xc0
 __sys_recvfrom+0xb3/0x130
 __x64_sys_recvfrom+0x20/0x30
 do_syscall_64+0x93/0x180
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

So we need to check the vsk->transport in vsockbpfrecvmsg(), especially for connected sockets (stream/seqpacket) as we already do in _vsockconnectible_recvmsg().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
634f1a7110b439c65fd8a809171c1d2d28bcea6f
Fixed
58e586c30d0b6f5dc0174a41026f2b0a48c9aab6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
634f1a7110b439c65fd8a809171c1d2d28bcea6f
Fixed
6771e1279dadf1d92a72e1465134257d9e6f2459
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
634f1a7110b439c65fd8a809171c1d2d28bcea6f
Fixed
f6abafcd32f9cfc4b1a2f820ecea70773e26d423

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "165088970496734108022404490426936268430",
                "105347590334646371546235906797881658886",
                "153629928676698392498144567693182155602",
                "147034645154321740165290866314761591992",
                "94323720629531888120373540181710988731",
                "236837575350864021139719219080161309168",
                "329856614387761279214477844615353691184",
                "245196746938428344631657763203981564365",
                "115609052297124719002522140724079058374",
                "70607434768863039685560575635366767020",
                "128040134861722504695419330244244801023"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-21670-44ef4e48",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58e586c30d0b6f5dc0174a41026f2b0a48c9aab6",
        "signature_version": "v1",
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "165088970496734108022404490426936268430",
                "105347590334646371546235906797881658886",
                "153629928676698392498144567693182155602",
                "147034645154321740165290866314761591992",
                "94323720629531888120373540181710988731",
                "236837575350864021139719219080161309168",
                "329856614387761279214477844615353691184",
                "245196746938428344631657763203981564365",
                "115609052297124719002522140724079058374",
                "70607434768863039685560575635366767020",
                "128040134861722504695419330244244801023"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-21670-58de2507",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f6abafcd32f9cfc4b1a2f820ecea70773e26d423",
        "signature_version": "v1",
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "165088970496734108022404490426936268430",
                "105347590334646371546235906797881658886",
                "153629928676698392498144567693182155602",
                "147034645154321740165290866314761591992",
                "94323720629531888120373540181710988731",
                "236837575350864021139719219080161309168",
                "329856614387761279214477844615353691184",
                "245196746938428344631657763203981564365",
                "115609052297124719002522140724079058374",
                "70607434768863039685560575635366767020",
                "128040134861722504695419330244244801023"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-21670-5bf603f3",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6771e1279dadf1d92a72e1465134257d9e6f2459",
        "signature_version": "v1",
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "308906523999320238095720730434849908870",
            "length": 862.0
        },
        "id": "CVE-2025-21670-99c9f9d3",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c",
            "function": "vsock_bpf_recvmsg"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6771e1279dadf1d92a72e1465134257d9e6f2459",
        "signature_version": "v1",
        "signature_type": "Function",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "308906523999320238095720730434849908870",
            "length": 862.0
        },
        "id": "CVE-2025-21670-d477cf76",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c",
            "function": "vsock_bpf_recvmsg"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f6abafcd32f9cfc4b1a2f820ecea70773e26d423",
        "signature_version": "v1",
        "signature_type": "Function",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "308906523999320238095720730434849908870",
            "length": 862.0
        },
        "id": "CVE-2025-21670-f79584bc",
        "target": {
            "file": "net/vmw_vsock/vsock_bpf.c",
            "function": "vsock_bpf_recvmsg"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58e586c30d0b6f5dc0174a41026f2b0a48c9aab6",
        "signature_version": "v1",
        "signature_type": "Function",
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.74
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.11