7.8

CVE-2025-21731

nbd: don't allow reconnect after disconnect

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:

  nbd_genl_disconnect
   nbd_disconnect_and_put
    nbd_disconnect
     flush_workqueue(nbd->recv_workq)
    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
     nbd_config_put
     -> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

  nbd_genl_reconfigure
   config = nbd_get_config_unlocked(nbd)
   if (!config)
   -> succeed
   if (!test_bit(NBD_RT_BOUND, ...))
   -> succeed
   nbd_reconnect_socket
    queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

  recv_work
   nbd_config_put(nbd)
   -> nbd_config is freed
   atomic_dec(&config->recv_threads)
   -> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.12 < 5.4.291
LinuxLinux Kernel Version >= 5.5 < 5.10.235
LinuxLinux Kernel Version >= 5.11 < 5.15.179
LinuxLinux Kernel Version >= 5.16 < 6.1.129
LinuxLinux Kernel Version >= 6.2 < 6.6.76
LinuxLinux Kernel Version >= 6.7 < 6.12.13
LinuxLinux Kernel Version >= 6.13 < 6.13.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.104
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
Patch
https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
Patch
https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
Patch
https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
Patch
https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
Patch
https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
Patch
https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
Patch
https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html