Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-21756

HIGH
Published 2025-02-27T02:18:11.547Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-21756. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.8
/10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.000
probability
of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.036
Higher than 3.6% of all CVEs

Attack Vector Metrics

Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
__vsock_insert_bound(vsock_bound_sockets()) calls
__vsock_remove_bound() which does:
list_del_init(&vsk->bound_table); // nop
sock_put(&vsk->sk); // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
__vsock_bind+0x62e/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
__vsock_create.constprop.0+0x2e/0xb60
vsock_create+0xe4/0x420
__sock_create+0x241/0x650
__sys_socket+0xf2/0x1a0
__x64_sys_socket+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
__vsock_bind+0x5e1/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
__vsock_bind+0x66d/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
vsock_remove_bound+0x187/0x1e0
__vsock_release+0x383/0x4a0
vsock_release+0x90/0x120
__sock_release+0xa3/0x250
sock_close+0x14/0x20
__fput+0x359/0xa80
task_work_run+0x107/0x1d0
do_exit+0x847/0x2560
do_group_exit+0xb8/0x250
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0xfec/0x14f0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Available Exploits

No exploits available for this CVE.

Related News

Linux Kernel Exploitation: CVE-2025-21756

Article URL: https://hoefler.dev/articles/vsock.html Comments URL: https://news.ycombinator.com/item?id=43849373 Points: 4 # Comments: 0

Hoefler.dev 2025-04-30 19:03
Read More
CVE-2025-21756: How a Tiny Linux Kernel Bug Led to a Full Root Exploit, PoC Releases

In a recently analysis, security researcher Michael Hoefler has exposed the full depth of CVE-2025-21756, a Use-After-Free (UAF) The post CVE-2025-21756: How a Tiny Linux Kernel Bug Led to a Full Root Exploit, PoC Releases appeared first on Daily CyberSecurity.

SecurityOnline.info 2025-04-29 00:50
Read More

Affected Products

Linux

Linux

Affected Versions:

c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a c0cfa2d8a788fcf45df5bf4070ab2474c88d543a
Linux

Linux

Affected Versions:

5.5 0 5.10.235 5.15.179 6.1.131 6.6.79 6.12.16 6.13.4 6.14

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-5828-2c94-235c

Advisory Details

In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-21756
WEB https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
WEB https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
WEB https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
WEB https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
WEB https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c
WEB https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173
WEB https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a
WEB https://github.com/hoefler02/CVE-2025-21756/blob/main/x.c

Advisory provided by GitHub Security Advisory Database. Published: February 27, 2025, Modified: April 30, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post
Reddit 1 month, 1 week ago
xa1ry
Exploit PoC

Exploiting the CVE-2025-21756 1-day vulnerability [Hyunwoo Kim](https://x.com/v4bel) and [Wongi Lee](https://x.com/_qwerty_po) posted a kernelCTF [report](https://github.com/google/security-research/blob/f7dbb569a8275d4352fb1a2fe869f1afa79d4c28/pocs/linux/kernelctf/CVE-2025-21756_lts_cos/docs/exploit.md) about exploiting a UAF in the vsock subsystem of the Linux kernel. The researchers leaked the kernel base address using the EntryBleed side-channel attack and then turned the UAF on the vsock\_sock structure into a RIP …

2
2.0
View Original High Risk

References

https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173
https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c
https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a
Published: 2025-02-27T02:18:11.547Z
Last Modified: 2025-05-04T07:20:28.873Z
Copied to clipboard!