CVE-2025-21731 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:

nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-4102-1	linux-6.1 security update
Debian DLA	DLA-4178-1	linux security update
EUVD	EUVD-2025-5235	In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
Ubuntu USN	USN-7510-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7510-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7510-5	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7510-6	Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN	USN-7510-7	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-8	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7511-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7511-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-7511-3	Linux kernel (GKE) vulnerabilities
Ubuntu USN	USN-7512-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7516-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7516-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-7516-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7516-4	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7516-5	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7516-6	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7516-7	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7516-8	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7516-9	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7517-1	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7517-2	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7517-3	Linux kernel (BlueField) vulnerabilities
Ubuntu USN	USN-7518-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7521-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7521-2	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7521-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7539-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7540-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7593-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7602-1	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7640-1	Linux kernel (IoT) vulnerabilities
Ubuntu USN	USN-7651-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-4	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7651-5	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7651-6	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7652-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7653-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7737-1	Linux kernel (Azure) vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2025-21731-c18b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21731
https://www.cve.org/CVERecord?id=CVE-2025-21731

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Mon, 24 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11 https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 28 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2025-21731-c18b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21731 https://www.cve.org/CVERecord?id=CVE-2025-21731
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 27 Feb 2025 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 27 Feb 2025 02:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
Title		nbd: don't allow reconnect after disconnect
References		https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1 https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302 https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739 https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-27T02:07:35.927Z

Updated: 2025-11-03T19:36:36.130Z

Reserved: 2024-12-29T08:45:45.755Z

Link: CVE-2025-21731

Vulnrichment

Updated: 2025-02-27T17:58:02.900Z

NVD

Status : Modified

Published: 2025-02-27T02:15:16.833

Modified: 2025-11-03T20:17:13.173

Link: CVE-2025-21731

Redhat

Severity : Moderate

Publid Date: 2025-02-27T00:00:00Z

Links: CVE-2025-21731 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object