{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21755", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.760Z", "datePublished": "2025-02-27T02:18:11.055Z", "dateUpdated": "2025-03-13T12:28:26.152Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-13T12:28:26.152Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Orphan socket after transport release\n\nDuring socket release, sock_orphan() is called without considering that it\nsets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a\nnull pointer dereferenced in virtio_transport_wait_close().\n\nOrphan the socket only after transport release.\n\nPartially reverts the 'Fixes:' commit.\n\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n lock_acquire+0x19e/0x500\n _raw_spin_lock_irqsave+0x47/0x70\n add_wait_queue+0x46/0x230\n virtio_transport_release+0x4e7/0x7f0\n __vsock_release+0xfd/0x490\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x35e/0xa90\n __x64_sys_close+0x78/0xd0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/af_vsock.c"], "versions": [{"version": "e7754d564579a5db9c5c9f74228df5d6dd6f1173", "lessThan": "c6acb650a73d5705a93b9c5a2cd5e9c8161f0be3", "status": "affected", "versionType": "git"}, {"version": "e48fcb403c2d0e574c19683f09399ab4cf67809c", "lessThan": "bab61f41c942a20ef7b4feea50e9d36d19ad1a26", "status": "affected", "versionType": "git"}, {"version": "42b33381e5e1f2b967dc4fb4221ddb9aaf10d197", "lessThan": "631e00fdac7acca676103d6cbc96eb152625f449", "status": "affected", "versionType": "git"}, {"version": "3f43540166128951cc1be7ab1ce6b7f05c670d8b", "lessThan": "f3b8e9d3414b2eb083d8293be25a949fe480897b", "status": "affected", "versionType": "git"}, {"version": "645ce25aa0e67895b11d89f27bb86c9d444c40f8", "lessThan": "3a866f8376f0a5c848dcb59cd26df845fffbe6d8", "status": "affected", "versionType": "git"}, {"version": "b1afd40321f1c243cffbcf40ea7ca41aca87fa5e", "lessThan": "94d81870eec7ad2dd7af80bffd314ded26caea1a", "status": "affected", "versionType": "git"}, {"version": "fcdd2242c0231032fc84e1404315c245ae56322a", "lessThan": "78dafe1cf3afa02ed71084b350713b07e72a18fb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/af_vsock.c"], "versions": [{"version": "6.14-rc1", "status": "affected"}, {"version": "0", "lessThan": "6.14-rc1", "status": "unaffected", "versionType": "semver"}, {"version": "6.14-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6acb650a73d5705a93b9c5a2cd5e9c8161f0be3"}, {"url": "https://git.kernel.org/stable/c/bab61f41c942a20ef7b4feea50e9d36d19ad1a26"}, {"url": "https://git.kernel.org/stable/c/631e00fdac7acca676103d6cbc96eb152625f449"}, {"url": "https://git.kernel.org/stable/c/f3b8e9d3414b2eb083d8293be25a949fe480897b"}, {"url": "https://git.kernel.org/stable/c/3a866f8376f0a5c848dcb59cd26df845fffbe6d8"}, {"url": "https://git.kernel.org/stable/c/94d81870eec7ad2dd7af80bffd314ded26caea1a"}, {"url": "https://git.kernel.org/stable/c/78dafe1cf3afa02ed71084b350713b07e72a18fb"}], "title": "vsock: Orphan socket after transport release", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Orphan socket after transport release\n\nDuring socket release, sock_orphan() is called without considering that it\nsets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a\nnull pointer dereferenced in virtio_transport_wait_close().\n\nOrphan the socket only after transport release.\n\nPartially reverts the 'Fixes:' commit.\n\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n lock_acquire+0x19e/0x500\n _raw_spin_lock_irqsave+0x47/0x70\n add_wait_queue+0x46/0x230\n virtio_transport_release+0x4e7/0x7f0\n __vsock_release+0xfd/0x490\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x35e/0xa90\n __x64_sys_close+0x78/0xd0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vsock: socket hu\u00e9rfano despu\u00e9s de la liberaci\u00f3n del transporte Durante la liberaci\u00f3n del socket, se llama a sock_orphan() sin tener en cuenta que establece sk->sk_wq en NULL. M\u00e1s tarde, si se habilita SO_LINGER, esto conduce a un puntero nulo desreferenciado en virtio_transport_wait_close(). Deja hu\u00e9rfano el socket solo despu\u00e9s de la liberaci\u00f3n del transporte. Revierte parcialmente el commit 'Fixes:'. KASAN: desreferencia de punto nulo en el rango [0x0000000000000018-0x0000000000000001f] lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e"}], "id": "CVE-2025-21755", "lastModified": "2025-03-13T13:15:52.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-27T03:15:16.150", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3a866f8376f0a5c848dcb59cd26df845fffbe6d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/631e00fdac7acca676103d6cbc96eb152625f449"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78dafe1cf3afa02ed71084b350713b07e72a18fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/94d81870eec7ad2dd7af80bffd314ded26caea1a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bab61f41c942a20ef7b4feea50e9d36d19ad1a26"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c6acb650a73d5705a93b9c5a2cd5e9c8161f0be3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f3b8e9d3414b2eb083d8293be25a949fe480897b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: vsock: Orphan socket after transport release", "id": "2348571", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348571"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvsock: Orphan socket after transport release\nDuring socket release, sock_orphan() is called without considering that it\nsets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a\nnull pointer dereferenced in virtio_transport_wait_close().\nOrphan the socket only after transport release.\nPartially reverts the 'Fixes:' commit.\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nlock_acquire+0x19e/0x500\n_raw_spin_lock_irqsave+0x47/0x70\nadd_wait_queue+0x46/0x230\nvirtio_transport_release+0x4e7/0x7f0\n__vsock_release+0xfd/0x490\nvsock_release+0x90/0x120\n__sock_release+0xa3/0x250\nsock_close+0x14/0x20\n__fput+0x35e/0xa90\n__x64_sys_close+0x78/0xd0\ndo_syscall_64+0x93/0x1b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"], "name": "CVE-2025-21755", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21755\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21755\nhttps://lore.kernel.org/linux-cve-announce/2025022603-CVE-2025-21755-5887@gregkh/T"], "threat_severity": "Moderate"}