cbcvebase.
CVE-2025-21756
published 2025-02-27

CVE-2025-21756: In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes…

PriorityP277high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.82%
52.7th percentile
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debianlinux< linux 6.1.133-1 (bookworm)linux 6.1.133-1 (bookworm)
debianlinux-6.1< linux 6.1.133-1 (bookworm)linux 6.1.133-1 (bookworm)
googlechrome_chrome
linuxlinux
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < e7754d564579a5db9c5c9f74228df5d6dd6f1173e7754d564579a5db9c5c9f74228df5d6dd6f1173
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < e48fcb403c2d0e574c19683f09399ab4cf67809ce48fcb403c2d0e574c19683f09399ab4cf67809c
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < 42b33381e5e1f2b967dc4fb4221ddb9aaf10d19742b33381e5e1f2b967dc4fb4221ddb9aaf10d197
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < 3f43540166128951cc1be7ab1ce6b7f05c670d8b3f43540166128951cc1be7ab1ce6b7f05c670d8b
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < 645ce25aa0e67895b11d89f27bb86c9d444c40f8645ce25aa0e67895b11d89f27bb86c9d444c40f8
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < b1afd40321f1c243cffbcf40ea7ca41aca87fa5eb1afd40321f1c243cffbcf40ea7ca41aca87fa5e
linuxlinux>= c0cfa2d8a788fcf45df5bf4070ab2474c88d543a < fcdd2242c0231032fc84e1404315c245ae56322afcdd2242c0231032fc84e1404315c245ae56322a
linuxlinux_kernel>= 0 < 5.10.237-15.10.237-1
linuxlinux_kernel>= 0 < 6.1.133-16.1.133-1
linuxlinux_kernel>= 0 < 6.12.16-16.12.16-1
linuxlinux_kernel>= 0 < 6.12.16-16.12.16-1
linuxlinux_kernel>= 0 < 5.15.0-138.1485.15.0-138.148
linuxlinux_kernel>= 0 < 6.8.0-58.606.8.0-58.60
linuxlinux_kernel>= 5.11 < 5.15.1795.15.179
linuxlinux_kernel>= 5.16 < 6.1.1316.1.131
linuxlinux_kernel>= 5.5 < 5.10.2355.10.235
linuxlinux_kernel>= 6.13 < 6.13.46.13.4
linuxlinux_kernel>= 6.2 < 6.6.796.6.79
linuxlinux_kernel>= 6.7 < 6.12.166.12.16
msrcazl3_kernel_6.6.78.1-3_on_azure_linux_3.0
msrcazl3_kernel_6.6.82.1-1_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect KASAN slab-use-after-free triggered in __vsock_bind during transport reassignment — look for kernel KASAN reports referencing __vsock_bind in dmesg/kernel logs
  • Detect refcount underflow/use-after-free warnings in vsock_remove_bound — monitor kernel logs for refcount_warn_saturate triggered from vsock_remove_bound call chain
  • Detect refcount addition-on-zero use-after-free in __vsock_bind — monitor kernel logs for refcount_warn_saturate triggered from __vsock_bind call chain
  • Exploitation requires local user ability to call bind() on vsock sockets during transport reassignment — monitor for unusual vsock bind() syscall sequences from unprivileged local users
  • Check if the vsock kernel module is loaded on systems where it is not required — presence of the vsock module on non-VM-transport systems increases attack surface
  • ·Vulnerability is only exploitable when the vsock (Virtual Socket Protocol) module is loaded and in use; systems not using vsock for VM transport are not affected
  • ·Red Hat Enterprise Linux 6 and 7 (including kernel-rt) are confirmed not affected
  • ·Debian fixed versions: bookworm 6.1.133-1, bullseye 5.10.237-1, forky/sid/trixie 6.12.16-1

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck7.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.