{
  "threat_severity" : "Important",
  "public_date" : "2025-02-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: vsock: Keep the binding until socket destruction",
    "id" : "2348609",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348609"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvsock: Keep the binding until socket destruction\nPreserve sockets bindings; this includes both resulting from an explicit\nbind() and those implicitly bound through autobind during connect().\nPrevents socket unbinding during a transport reassignment, which fixes a\nuse-after-free:\n1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\n2. transport->release() calls vsock_remove_bound() without checking if\nsk was bound and moved to bound list (refcnt=1)\n3. vsock_bind() assumes sk is in unbound list and before\n__vsock_insert_bound(vsock_bound_sockets()) calls\n__vsock_remove_bound() which does:\nlist_del_init(&vsk->bound_table); // nop\nsock_put(&vsk->sk);               // refcnt=0\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\ndump_stack_lvl+0x68/0x90\nprint_report+0x174/0x4f6\nkasan_report+0xb9/0x190\n__vsock_bind+0x62e/0x730\nvsock_bind+0x97/0xe0\n__sys_bind+0x154/0x1f0\n__x64_sys_bind+0x6e/0xb0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nAllocated by task 2057:\nkasan_save_stack+0x1e/0x40\nkasan_save_track+0x10/0x30\n__kasan_slab_alloc+0x85/0x90\nkmem_cache_alloc_noprof+0x131/0x450\nsk_prot_alloc+0x5b/0x220\nsk_alloc+0x2c/0x870\n__vsock_create.constprop.0+0x2e/0xb60\nvsock_create+0xe4/0x420\n__sock_create+0x241/0x650\n__sys_socket+0xf2/0x1a0\n__x64_sys_socket+0x6e/0xb0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nFreed by task 2057:\nkasan_save_stack+0x1e/0x40\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x37/0x60\n__kasan_slab_free+0x4b/0x70\nkmem_cache_free+0x1a1/0x590\n__sk_destruct+0x388/0x5a0\n__vsock_bind+0x5e1/0x730\nvsock_bind+0x97/0xe0\n__sys_bind+0x154/0x1f0\n__x64_sys_bind+0x6e/0xb0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\nRIP: 0010:refcount_warn_saturate+0xce/0x150\n__vsock_bind+0x66d/0x730\nvsock_bind+0x97/0xe0\n__sys_bind+0x154/0x1f0\n__x64_sys_bind+0x6e/0xb0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\nRIP: 0010:refcount_warn_saturate+0xee/0x150\nvsock_remove_bound+0x187/0x1e0\n__vsock_release+0x383/0x4a0\nvsock_release+0x90/0x120\n__sock_release+0xa3/0x250\nsock_close+0x14/0x20\n__fput+0x359/0xa80\ntask_work_run+0x107/0x1d0\ndo_exit+0x847/0x2560\ndo_group_exit+0xb8/0x250\n__x64_sys_exit_group+0x3a/0x50\nx64_sys_call+0xfec/0x14f0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e", "A flaw was found in the Linux kernel's virtual socket protocol network driver, where an improperly timed socket unbinding could result in a use-after-free issue. This flaw allows an attacker who can create and destroy arbitrary connections on virtual connections to read or modify system memory, potentially leading to an escalation of privileges or the compromise of sensitive data." ],
  "statement" : "If Virtual Socket Protocol is being used during connection, or during a transport reassignment, a use-after-free could happen. The local user is supposed to call the bind() function when opening the connection.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-05-26T00:00:00Z",
    "advisory" : "RHSA-2025:8137",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.13.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-05-21T00:00:00Z",
    "advisory" : "RHSA-2025:8057",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.53.1.rt7.394.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-05-21T00:00:00Z",
    "advisory" : "RHSA-2025:8056",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.53.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8345",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7901",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.157.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7902",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4::nfv",
    "package" : "kernel-rt-0:4.18.0-305.157.1.rt7.234.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7901",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.4",
    "package" : "kernel-0:4.18.0-305.157.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7901",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.4",
    "package" : "kernel-0:4.18.0-305.157.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8348",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.4",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7652",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.145.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7652",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.145.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7652",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.145.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8347",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7682",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.97.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8346",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7903",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.17.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7903",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.17.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7897",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.132.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-05-19T00:00:00Z",
    "advisory" : "RHSA-2025:7896",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.132.1.rt21.204.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8344",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.0",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7683",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.117.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7676",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.117.1.rt14.402.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8343",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.2",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-05-21T00:00:00Z",
    "advisory" : "RHSA-2025:8058",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.68.2.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8248",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.70.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8342",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.4",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21756\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21756\nhttps://lore.kernel.org/linux-cve-announce/2025022603-CVE-2025-21756-5e09@gregkh/T" ],
  "name" : "CVE-2025-21756",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module vsock from being loaded. \nPlease see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}