CVE-2025-21756

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: Keep the binding until socket destruction<br /> <br /> Preserve sockets bindings; this includes both resulting from an explicit<br /> bind() and those implicitly bound through autobind during connect().<br /> <br /> Prevents socket unbinding during a transport reassignment, which fixes a<br /> use-after-free:<br /> <br /> 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)<br /> 2. transport-&gt;release() calls vsock_remove_bound() without checking if<br /> sk was bound and moved to bound list (refcnt=1)<br /> 3. vsock_bind() assumes sk is in unbound list and before<br /> __vsock_insert_bound(vsock_bound_sockets()) calls<br /> __vsock_remove_bound() which does:<br /> list_del_init(&amp;vsk-&gt;bound_table); // nop<br /> sock_put(&amp;vsk-&gt;sk); // refcnt=0<br /> <br /> BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730<br /> Read of size 4 at addr ffff88816b46a74c by task a.out/2057<br /> dump_stack_lvl+0x68/0x90<br /> print_report+0x174/0x4f6<br /> kasan_report+0xb9/0x190<br /> __vsock_bind+0x62e/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Allocated by task 2057:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> __kasan_slab_alloc+0x85/0x90<br /> kmem_cache_alloc_noprof+0x131/0x450<br /> sk_prot_alloc+0x5b/0x220<br /> sk_alloc+0x2c/0x870<br /> __vsock_create.constprop.0+0x2e/0xb60<br /> vsock_create+0xe4/0x420<br /> __sock_create+0x241/0x650<br /> __sys_socket+0xf2/0x1a0<br /> __x64_sys_socket+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 2057:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x37/0x60<br /> __kasan_slab_free+0x4b/0x70<br /> kmem_cache_free+0x1a1/0x590<br /> __sk_destruct+0x388/0x5a0<br /> __vsock_bind+0x5e1/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150<br /> RIP: 0010:refcount_warn_saturate+0xce/0x150<br /> __vsock_bind+0x66d/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150<br /> RIP: 0010:refcount_warn_saturate+0xee/0x150<br /> vsock_remove_bound+0x187/0x1e0<br /> __vsock_release+0x383/0x4a0<br /> vsock_release+0x90/0x120<br /> __sock_release+0xa3/0x250<br /> sock_close+0x14/0x20<br /> __fput+0x359/0xa80<br /> task_work_run+0x107/0x1d0<br /> do_exit+0x847/0x2560<br /> do_group_exit+0xb8/0x250<br /> __x64_sys_exit_group+0x3a/0x50<br /> x64_sys_call+0xfec/0x14f0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e