CVE-2025-21731

EUVD-2025-5235

27.02.2025, 02:15

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:

  nbd_genl_disconnect
   nbd_disconnect_and_put
    nbd_disconnect
     flush_workqueue(nbd->recv_workq)
    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
     nbd_config_put
     -> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

  nbd_genl_reconfigure
   config = nbd_get_config_unlocked(nbd)
   if (!config)
   -> succeed
   if (!test_bit(NBD_RT_BOUND, ...))
   -> succeed
   nbd_reconnect_socket
    queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

  recv_work
   nbd_config_put(nbd)
   -> nbd_config is freed
   atomic_dec(&config->recv_threads)
   -> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.12 ≤ 𝑥 < 5.4.291
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.235
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.179
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.129
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.76
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.13
linux	linux_kernel	6.13 ≤ 𝑥 < 6.13.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.257-1 fixed
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5

4.12.14-122.269.1

fixed

dlm-kmp-default

suse enterprise server 12 SP5

4.12.14-122.269.1

fixed

gfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.269.1

fixed

kernel-64kb

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.34.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.34.2 fixed

kernel-default

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.269.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-default-base

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2.150600.12.20.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2.150600.12.20.2 fixed
suse enterprise server 12 SP5	4.12.14-122.269.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2.150600.12.20.2 fixed

kernel-default-extra

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise workstation 15 SP6	6.4.0-150600.23.47.2 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.269.1

fixed

kernel-obs-build

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.2 fixed

kernel-source

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.269.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-source-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.34.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.34.2 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.47.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.269.1

fixed

Amazon Linux Releases

Amazon Package

Release

bpftool

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

bpftool-debuginfo

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-debuginfo

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-debuginfo-common-aarch64

Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-debuginfo-common-i686

Amazon Linux 1

0:4.14.355-196.618.amzn1

fixed

kernel-debuginfo-common-x86_64

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-devel

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-headers

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-libbpf

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-libbpf-debuginfo

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-libbpf-devel

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-libbpf-static

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-livepatch-4.14.355-276.618

Amazon Linux 2

0:1.0-0.amzn2

fixed

kernel-livepatch-6.1.131-143.221

Amazon Linux 2023

0:1.0-0.amzn2023

fixed

kernel-modules-extra

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-modules-extra-common

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

kernel-tools

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-tools-debuginfo

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

kernel-tools-devel

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

perf

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

perf-debuginfo

Amazon Linux 1	0:4.14.355-196.618.amzn1 fixed
Amazon Linux 2	0:4.14.355-276.618.amzn2 fixed
Amazon Linux 2023	0:6.1.131-143.221.amzn2023 fixed

python-perf

Amazon Linux 2

0:4.14.355-276.618.amzn2

fixed

python-perf-debuginfo

Amazon Linux 2

0:4.14.355-276.618.amzn2

fixed

python3-perf

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

python3-perf-debuginfo

Amazon Linux 2023

0:6.1.131-143.221.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

CBL-Mariner 2.0

0:5.15.180.1-1.cm2

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a

https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1

https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302

https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739

https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f

https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11

https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381

https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e

https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html

https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html