7.8
CVE-2025-21731
- EPSS 0.2%
- Veröffentlicht 27.02.2025 02:15:16
- Zuletzt bearbeitet 03.11.2025 20:17:13
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
nbd: don't allow reconnect after disconnect
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect
Following process can cause nbd_config UAF:
1) grab nbd_config temporarily;
2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:
nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero
3) nbd_genl_reconfigure() queue recv_work() again;
nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)
4) step 1) release the reference;
5) Finially, recv_work() will trigger UAF:
recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF
Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.12 < 5.4.291
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.235
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.179
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.129
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.76
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.13
Linux ≫ Linux Kernel Version >= 6.13 < 6.13.2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.104 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html