CVE-2025-21670

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock/bpf: return early if transport is not assigned<br /> <br /> Some of the core functions can only be called if the transport<br /> has been assigned.<br /> <br /> As Michal reported, a socket might have the transport at NULL,<br /> for example after a failed connect(), causing the following trace:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000a0<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+<br /> RIP: 0010:vsock_connectible_has_data+0x1f/0x40<br /> Call Trace:<br /> vsock_bpf_recvmsg+0xca/0x5e0<br /> sock_recvmsg+0xb9/0xc0<br /> __sys_recvfrom+0xb3/0x130<br /> __x64_sys_recvfrom+0x20/0x30<br /> do_syscall_64+0x93/0x180<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> So we need to check the `vsk-&gt;transport` in vsock_bpf_recvmsg(),<br /> especially for connected sockets (stream/seqpacket) as we already<br /> do in __vsock_connectible_recvmsg().