Description
In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
__vsock_insert_bound(vsock_bound_sockets()) calls
__vsock_remove_bound() which does:
list_del_init(&vsk->bound_table); // nop
sock_put(&vsk->sk); // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
__vsock_bind+0x62e/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
__vsock_create.constprop.0+0x2e/0xb60
vsock_create+0xe4/0x420
__sock_create+0x241/0x650
__sys_socket+0xf2/0x1a0
__x64_sys_socket+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
__vsock_bind+0x5e1/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
__vsock_bind+0x66d/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
vsock_remove_bound+0x187/0x1e0
__vsock_release+0x383/0x4a0
vsock_release+0x90/0x120
__sock_release+0xa3/0x250
sock_close+0x14/0x20
__fput+0x359/0xa80
task_work_run+0x107/0x1d0
do_exit+0x847/0x2560
do_group_exit+0xb8/0x250
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0xfec/0x14f0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Published: 2025-02-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Update Kernel
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the Linux kernel’s vsock socket code (CWE‑416). It can cause kernel memory corruption when a socket is unbound after a transport reassignment, potentially allowing an attacker to read or modify memory or execute code with kernel privileges.

Affected Systems

The flaw affects all Linux kernel builds that incorporate the vsock module, including Red Hat Enterprise Linux 8, 9, 10 and related derivatives, as well as other distributions using the upstream kernel. No specific version range is listed, so any kernel that has not applied the recent patch may be affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk, while an EPSS score of <1 % and absence from the CISA KEV catalog suggest exploitation is unlikely at present. The flaw would likely be triggered by local actions that involve creating or manipulating vsock connections; thus, updating the kernel or limiting vsock usage mitigates the threat.

Generated by OpenCVE AI on April 28, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s kernel update that includes the fix for CVE‑2025‑21756.
  • If an immediate update is unavailable, disable the vsock kernel module or block vsock socket creation using firewall or network policy controls.
  • Monitor system logs for anomalous vsock activity and apply SELinux or AppArmor hardening to restrict socket creation privileges.

Generated by OpenCVE AI on April 28, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4178-1 linux security update
Debian DLA Debian DLA DLA-4193-1 linux-6.1 security update
Debian DSA Debian DSA DSA-5900-1 linux security update
EUVD EUVD EUVD-2025-5169 In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Ubuntu USN Ubuntu USN USN-7445-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7448-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-2 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7450-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7451-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7452-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7453-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-4 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-5 Linux kernel (AWS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-1 Linux kernel (Intel IoTG) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-2 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7460-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7468-1 Linux kernel (Azure, N-Series) vulnerabilities
Ubuntu USN Ubuntu USN USN-7475-1 Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7523-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7524-1 Linux kernel (Raspberry Pi) vulnerabilities
History

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 03 Jun 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhel_e4s:9.0
cpe:/o:redhat:rhel_eus:9.2
cpe:/o:redhat:rhel_eus:9.4

Mon, 26 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 22 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8::nfv
cpe:/a:redhat:rhel_eus:9.4
cpe:/o:redhat:enterprise_linux:8

Tue, 20 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_e4s:9.0::nfv
cpe:/a:redhat:rhel_tus:8.4::nfv
cpe:/o:redhat:enterprise_linux:9
cpe:/o:redhat:rhel_aus:8.4
cpe:/o:redhat:rhel_e4s:8.4
cpe:/o:redhat:rhel_tus:8.4
Vendors & Products Redhat enterprise Linux

Fri, 16 May 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.2::nfv
cpe:/o:redhat:rhel_aus:8.6
cpe:/o:redhat:rhel_e4s:8.6
cpe:/o:redhat:rhel_eus:8.8
cpe:/o:redhat:rhel_tus:8.6
Vendors & Products Redhat
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Thu, 01 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

 threat_severity

Important

Wed, 30 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Mar 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type Values Removed Values Added
References

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 28 Feb 2025 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 27 Feb 2025 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Feb 2025 02:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Title vsock: Keep the binding until socket destruction
References

Subscriptions

Linux Linux Kernel
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T08:39:26.628Z

Reserved: 2024-12-29T08:45:45.760Z

Link: CVE-2025-21756

cve-icon Vulnrichment

Updated: 2025-11-03T19:37:01.186Z

cve-icon NVD

Status : Modified

Published: 2025-02-27T03:15:16.250

Modified: 2025-11-03T20:17:14.760

Link: CVE-2025-21756

cve-icon Redhat

Severity : Important

Publid Date: 2025-02-27T00:00:00Z

Links: CVE-2025-21756 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses