CVE-2025-21756

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-21756
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21756.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21756
Downstream
Related
Published
2025-02-27T02:18:11.547Z
Modified
2026-03-12T02:15:44.163672Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vsock: Keep the binding until socket destruction
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a use-after-free:

1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
   sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
   __vsock_insert_bound(vsock_bound_sockets()) calls
   __vsock_remove_bound() which does:
       list_del_init(&vsk->bound_table); // nop
       sock_put(&vsk->sk);               // refcnt=0

BUG: KASAN: slab-use-after-free in __vsockbind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dumpstack_lvl+0x68/0x90 printreport+0x174/0x4f6 kasanreport+0xb9/0x190 __vsockbind+0x62e/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Allocated by task 2057: kasansavestack+0x1e/0x40 kasansavetrack+0x10/0x30 __kasanslaballoc+0x85/0x90 kmemcacheallocnoprof+0x131/0x450 skprotalloc+0x5b/0x220 skalloc+0x2c/0x870 __vsockcreate.constprop.0+0x2e/0xb60 vsockcreate+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64syssocket+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Freed by task 2057: kasansavestack+0x1e/0x40 kasansavetrack+0x10/0x30 kasansavefree_info+0x37/0x60 __kasanslabfree+0x4b/0x70 kmemcachefree+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsockbind+0x5e1/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

refcountt: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcountwarnsaturate+0xce/0x150 RIP: 0010:refcountwarn_saturate+0xce/0x150 __vsockbind+0x66d/0x730 vsockbind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64sysbind+0x6e/0xb0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

refcountt: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcountwarnsaturate+0xee/0x150 RIP: 0010:refcountwarnsaturate+0xee/0x150 vsockremove_bound+0x187/0x1e0 __vsockrelease+0x383/0x4a0 vsockrelease+0x90/0x120 __sockrelease+0xa3/0x250 sockclose+0x14/0x20 __fput+0x359/0xa80 taskworkrun+0x107/0x1d0 doexit+0x847/0x2560 dogroup_exit+0xb8/0x250 _x64sysexitgroup+0x3a/0x50 x64syscall+0xfec/0x14f0 dosyscall64+0x93/0x1b0 entrySYSCALL64afterhwframe+0x76/0x7e

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21756.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Fixed
e7754d564579a5db9c5c9f74228df5d6dd6f1173
Fixed
e48fcb403c2d0e574c19683f09399ab4cf67809c
Fixed
42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
Fixed
3f43540166128951cc1be7ab1ce6b7f05c670d8b
Fixed
645ce25aa0e67895b11d89f27bb86c9d444c40f8
Fixed
b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
Fixed
fcdd2242c0231032fc84e1404315c245ae56322a

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21756.json"