Bug 2348609 (CVE-2025-21756) - CVE-2025-21756 kernel: vsock: Keep the binding until socket destruction
Summary: CVE-2025-21756 kernel: vsock: Keep the binding until socket destruction
Keywords:
Status: NEW
Alias: CVE-2025-21756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-27 03:04 UTC by OSIDB Bzimport
Modified: 2025-05-21 08:33 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:8061 0 None None None 2025-05-21 07:07:56 UTC
Red Hat Product Errata RHBA-2025:8067 0 None None None 2025-05-21 08:33:15 UTC
Red Hat Product Errata RHSA-2025:7652 0 None None None 2025-05-15 07:24:36 UTC
Red Hat Product Errata RHSA-2025:7676 0 None None None 2025-05-15 13:17:53 UTC
Red Hat Product Errata RHSA-2025:7682 0 None None None 2025-05-15 17:14:06 UTC
Red Hat Product Errata RHSA-2025:7683 0 None None None 2025-05-15 18:18:27 UTC
Red Hat Product Errata RHSA-2025:7896 0 None None None 2025-05-19 01:36:35 UTC
Red Hat Product Errata RHSA-2025:7897 0 None None None 2025-05-19 01:50:32 UTC
Red Hat Product Errata RHSA-2025:7901 0 None None None 2025-05-19 01:50:04 UTC
Red Hat Product Errata RHSA-2025:7902 0 None None None 2025-05-19 01:46:53 UTC
Red Hat Product Errata RHSA-2025:7903 0 None None None 2025-05-19 03:26:22 UTC
Red Hat Product Errata RHSA-2025:8056 0 None None None 2025-05-21 00:55:28 UTC
Red Hat Product Errata RHSA-2025:8057 0 None None None 2025-05-21 01:15:35 UTC
Red Hat Product Errata RHSA-2025:8058 0 None None None 2025-05-21 05:06:38 UTC

Description OSIDB Bzimport 2025-02-27 03:04:59 UTC 
In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
    2. transport->release() calls vsock_remove_bound() without checking if
       sk was bound and moved to bound list (refcnt=1)
    3. vsock_bind() assumes sk is in unbound list and before
       __vsock_insert_bound(vsock_bound_sockets()) calls
       __vsock_remove_bound() which does:
           list_del_init(&vsk->bound_table); // nop
           sock_put(&vsk->sk);               // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
 dump_stack_lvl+0x68/0x90
 print_report+0x174/0x4f6
 kasan_report+0xb9/0x190
 __vsock_bind+0x62e/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 __kasan_slab_alloc+0x85/0x90
 kmem_cache_alloc_noprof+0x131/0x450
 sk_prot_alloc+0x5b/0x220
 sk_alloc+0x2c/0x870
 __vsock_create.constprop.0+0x2e/0xb60
 vsock_create+0xe4/0x420
 __sock_create+0x241/0x650
 __sys_socket+0xf2/0x1a0
 __x64_sys_socket+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 kasan_save_free_info+0x37/0x60
 __kasan_slab_free+0x4b/0x70
 kmem_cache_free+0x1a1/0x590
 __sk_destruct+0x388/0x5a0
 __vsock_bind+0x5e1/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
 __vsock_bind+0x66d/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
 vsock_remove_bound+0x187/0x1e0
 __vsock_release+0x383/0x4a0
 vsock_release+0x90/0x120
 __sock_release+0xa3/0x250
 sock_close+0x14/0x20
 __fput+0x359/0xa80
 task_work_run+0x107/0x1d0
 do_exit+0x847/0x2560
 do_group_exit+0xb8/0x250
 __x64_sys_exit_group+0x3a/0x50
 x64_sys_call+0xfec/0x14f0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Comment 1 Michal Findra 2025-02-27 19:25:21 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022603-CVE-2025-21756-5e09@gregkh/T
Comment 3 errata-xmlrpc 2025-05-15 07:24:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:7652 https://access.redhat.com/errata/RHSA-2025:7652
Comment 4 errata-xmlrpc 2025-05-15 13:17:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7676 https://access.redhat.com/errata/RHSA-2025:7676
Comment 5 errata-xmlrpc 2025-05-15 17:14:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:7682 https://access.redhat.com/errata/RHSA-2025:7682
Comment 6 errata-xmlrpc 2025-05-15 18:18:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7683 https://access.redhat.com/errata/RHSA-2025:7683
Comment 7 errata-xmlrpc 2025-05-19 01:36:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:7896 https://access.redhat.com/errata/RHSA-2025:7896
Comment 8 errata-xmlrpc 2025-05-19 01:46:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:7902 https://access.redhat.com/errata/RHSA-2025:7902
Comment 9 errata-xmlrpc 2025-05-19 01:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:7901 https://access.redhat.com/errata/RHSA-2025:7901
Comment 10 errata-xmlrpc 2025-05-19 01:50:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:7897 https://access.redhat.com/errata/RHSA-2025:7897
Comment 11 errata-xmlrpc 2025-05-19 03:26:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7903 https://access.redhat.com/errata/RHSA-2025:7903
Comment 12 errata-xmlrpc 2025-05-21 00:55:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8056 https://access.redhat.com/errata/RHSA-2025:8056
Comment 13 errata-xmlrpc 2025-05-21 01:15:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8057 https://access.redhat.com/errata/RHSA-2025:8057
Comment 15 errata-xmlrpc 2025-05-21 05:06:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8058 https://access.redhat.com/errata/RHSA-2025:8058
Note You need to log in before you can comment on or make changes to this bug.