CVE-2025-21756

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-21756
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21756.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21756
Downstream
Related
Published
2025-02-27T02:18:11.547Z
Modified
2026-05-15T11:53:12.175401911Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vsock: Keep the binding until socket destruction
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a use-after-free:

1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
   sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
   __vsock_insert_bound(vsock_bound_sockets()) calls
   __vsock_remove_bound() which does:
       list_del_init(&vsk->bound_table); // nop
       sock_put(&vsk->sk);               // refcnt=0

BUG: KASAN: slab-use-after-free in __vsockbind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dumpstack_lvl+0x68/0x90 printreport+0x174/0x4f6 kasanreport+0xb9/0x190 __vsockbind+0x62e/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Allocated by task 2057: kasansavestack+0x1e/0x40 kasansavetrack+0x10/0x30 __kasanslaballoc+0x85/0x90 kmemcacheallocnoprof+0x131/0x450 skprotalloc+0x5b/0x220 skalloc+0x2c/0x870 __vsockcreate.constprop.0+0x2e/0xb60 vsockcreate+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64syssocket+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Freed by task 2057: kasansavestack+0x1e/0x40 kasansavetrack+0x10/0x30 kasansavefree_info+0x37/0x60 __kasanslabfree+0x4b/0x70 kmemcachefree+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsockbind+0x5e1/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

refcountt: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcountwarnsaturate+0xce/0x150 RIP: 0010:refcountwarn_saturate+0xce/0x150 __vsockbind+0x66d/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

refcountt: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcountwarnsaturate+0xee/0x150 RIP: 0010:refcountwarnsaturate+0xee/0x150 vsockremove_bound+0x187/0x1e0 __vsockrelease+0x383/0x4a0 vsockrelease+0x90/0x120 __sockrelease+0xa3/0x250 sockclose+0x14/0x20 __fput+0x359/0xa80 taskworkrun+0x107/0x1d0 doexit+0x847/0x2560 dogroup_exit+0xb8/0x250 _x64sysexitgroup+0x3a/0x50 x64syscall+0xfec/0x14f0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21756.json"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.235
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.179
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.131
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.79
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.16
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21756.json"