Bug 2348609 (CVE-2025-21756)

Summary:	CVE-2025-21756 kernel: vsock: Keep the binding until socket destruction
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	dfreiber, drow, jburrell, michael.h.hall-1, vkumar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel's virtual socket protocol network driver, where an improperly timed socket unbinding could result in a use-after-free issue. This flaw allows an attacker who can create and destroy arbitrary connections on virtual connections to read or modify system memory, potentially leading to an escalation of privileges or the compromise of sensitive data.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-27 03:04:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
    2. transport->release() calls vsock_remove_bound() without checking if
       sk was bound and moved to bound list (refcnt=1)
    3. vsock_bind() assumes sk is in unbound list and before
       __vsock_insert_bound(vsock_bound_sockets()) calls
       __vsock_remove_bound() which does:
           list_del_init(&vsk->bound_table); // nop
           sock_put(&vsk->sk);               // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
 dump_stack_lvl+0x68/0x90
 print_report+0x174/0x4f6
 kasan_report+0xb9/0x190
 __vsock_bind+0x62e/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 __kasan_slab_alloc+0x85/0x90
 kmem_cache_alloc_noprof+0x131/0x450
 sk_prot_alloc+0x5b/0x220
 sk_alloc+0x2c/0x870
 __vsock_create.constprop.0+0x2e/0xb60
 vsock_create+0xe4/0x420
 __sock_create+0x241/0x650
 __sys_socket+0xf2/0x1a0
 __x64_sys_socket+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 kasan_save_free_info+0x37/0x60
 __kasan_slab_free+0x4b/0x70
 kmem_cache_free+0x1a1/0x590
 __sk_destruct+0x388/0x5a0
 __vsock_bind+0x5e1/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
 __vsock_bind+0x66d/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
 vsock_remove_bound+0x187/0x1e0
 __vsock_release+0x383/0x4a0
 vsock_release+0x90/0x120
 __sock_release+0xa3/0x250
 sock_close+0x14/0x20
 __fput+0x359/0xa80
 task_work_run+0x107/0x1d0
 do_exit+0x847/0x2560
 do_group_exit+0xb8/0x250
 __x64_sys_exit_group+0x3a/0x50
 x64_sys_call+0xfec/0x14f0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Comment 1 Michal Findra 2025-02-27 19:25:21 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022603-CVE-2025-21756-5e09@gregkh/T

Comment 3 errata-xmlrpc 2025-05-15 07:24:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:7652 https://access.redhat.com/errata/RHSA-2025:7652

Comment 4 errata-xmlrpc 2025-05-15 13:17:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7676 https://access.redhat.com/errata/RHSA-2025:7676

Comment 5 errata-xmlrpc 2025-05-15 17:14:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:7682 https://access.redhat.com/errata/RHSA-2025:7682

Comment 6 errata-xmlrpc 2025-05-15 18:18:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7683 https://access.redhat.com/errata/RHSA-2025:7683

Comment 7 errata-xmlrpc 2025-05-19 01:36:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:7896 https://access.redhat.com/errata/RHSA-2025:7896

Comment 8 errata-xmlrpc 2025-05-19 01:46:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:7902 https://access.redhat.com/errata/RHSA-2025:7902

Comment 9 errata-xmlrpc 2025-05-19 01:50:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:7901 https://access.redhat.com/errata/RHSA-2025:7901

Comment 10 errata-xmlrpc 2025-05-19 01:50:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:7897 https://access.redhat.com/errata/RHSA-2025:7897

Comment 11 errata-xmlrpc 2025-05-19 03:26:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7903 https://access.redhat.com/errata/RHSA-2025:7903

Comment 12 errata-xmlrpc 2025-05-21 00:55:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8056 https://access.redhat.com/errata/RHSA-2025:8056

Comment 13 errata-xmlrpc 2025-05-21 01:15:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8057 https://access.redhat.com/errata/RHSA-2025:8057

Comment 15 errata-xmlrpc 2025-05-21 05:06:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8058 https://access.redhat.com/errata/RHSA-2025:8058

Comment 16 errata-xmlrpc 2025-05-26 10:31:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8137 https://access.redhat.com/errata/RHSA-2025:8137

Comment 17 errata-xmlrpc 2025-05-28 03:21:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8248 https://access.redhat.com/errata/RHSA-2025:8248

Comment 18 errata-xmlrpc 2025-06-02 02:07:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8342 https://access.redhat.com/errata/RHSA-2025:8342

Comment 19 errata-xmlrpc 2025-06-02 02:09:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:8344 https://access.redhat.com/errata/RHSA-2025:8344

Comment 20 errata-xmlrpc 2025-06-02 02:31:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:8346 https://access.redhat.com/errata/RHSA-2025:8346

Comment 21 errata-xmlrpc 2025-06-02 02:32:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:8343 https://access.redhat.com/errata/RHSA-2025:8343

Comment 22 errata-xmlrpc 2025-06-02 02:32:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8345 https://access.redhat.com/errata/RHSA-2025:8345

Comment 23 errata-xmlrpc 2025-06-02 03:03:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:8348 https://access.redhat.com/errata/RHSA-2025:8348

Comment 24 errata-xmlrpc 2025-06-02 03:13:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:8347 https://access.redhat.com/errata/RHSA-2025:8347