Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-21731
PUBLISHED
More InfoOfficial Page
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
View Known Exploited Vulnerability (KEV) details
Published At-27 Feb, 2025 | 02:07
Updated At-03 Nov, 2025 | 19:36
Rejected At-
▼CVE Numbering Authority (CNA)
nbd: don't allow reconnect after disconnect

In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • drivers/block/nbd.c
Default Status
unaffected
Versions
Affected
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before e70a578487a47d7cf058904141e586684d1c3381 (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before 6bef6222a3f6c7adb6396f77f25a3579d821b09a (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before e3be8862d73cac833e0fb7602636c19c6cb94b11 (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before e7343fa33751cb07c1c56b666bf37cfca357130e (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before d208d2c52b652913b5eefc8ca434b0d6b757f68f (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739 (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before 9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302 (git)
  • From b7aa3d39385dc2d95899f9e379623fef446a2acd before 844b8cdc681612ff24df62cdefddeab5772fadf1 (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • drivers/block/nbd.c
Default Status
affected
Versions
Affected
  • 4.12
Unaffected
  • From 0 before 4.12 (semver)
  • From 5.4.291 through 5.4.* (semver)
  • From 5.10.235 through 5.10.* (semver)
  • From 5.15.179 through 5.15.* (semver)
  • From 6.1.129 through 6.1.* (semver)
  • From 6.6.76 through 6.6.* (semver)
  • From 6.12.13 through 6.12.* (semver)
  • From 6.13.2 through 6.13.* (semver)
  • From 6.14 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
N/A
https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
N/A
https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
N/A
https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
N/A
https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
N/A
https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
N/A
https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
N/A
https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
N/A
Hyperlink: https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-416CWE-416 Use After Free
Type: CWE
CWE ID: CWE-416
Description: CWE-416 Use After Free
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
N/A
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
Resource: N/A
Details not found