CVE-2025-21666

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
31/01/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]<br /> <br /> Recent reports have shown how we sometimes call vsock_*_has_data()<br /> when a vsock socket has been de-assigned from a transport (see attached<br /> links), but we shouldn&amp;#39;t.<br /> <br /> Previous commits should have solved the real problems, but we may have<br /> more in the future, so to avoid null-ptr-deref, we can return 0<br /> (no space, no data available) but with a warning.<br /> <br /> This way the code should continue to run in a nearly consistent state<br /> and have a warning that allows us to debug future problems.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.15.177 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.127 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.74 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.11 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*