CVE-2025-21731 - Vulnerability Details

- nbd: don't allow reconnect after disconnect

Description

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:

nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.

Published: 2025-02-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< e70a578487a47d7cf058904141e586684d1c3381
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< 6bef6222a3f6c7adb6396f77f25a3579d821b09a
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< e3be8862d73cac833e0fb7602636c19c6cb94b11
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< e7343fa33751cb07c1c56b666bf37cfca357130e
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< d208d2c52b652913b5eefc8ca434b0d6b757f68f
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< 9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
`b7aa3d39385dc2d95899f9e379623fef446a2acd`	affected	< 844b8cdc681612ff24df62cdefddeab5772fadf1

Linux

affected

Version	Status	Constraints
`4.12`	affected	—
`0`	unaffected	< 4.12
`5.4.291`	unaffected	≤ 5.4.*
`5.10.235`	unaffected	≤ 5.10.*
`5.15.179`	unaffected	≤ 5.15.*
`6.1.129`	unaffected	≤ 6.1.*
`6.6.76`	unaffected	≤ 6.6.*
`6.12.13`	unaffected	≤ 6.12.*
`6.13.2`	unaffected	≤ 6.13.*
`6.14`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4102-1	linux-6.1 security update
Debian DLA	DLA-4178-1	linux security update
EUVD	EUVD-2025-5235	In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
Ubuntu USN	USN-7510-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7510-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7510-5	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7510-6	Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN	USN-7510-7	Linux kernel vulnerabilities
Ubuntu USN	USN-7510-8	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7511-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7511-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-7511-3	Linux kernel (GKE) vulnerabilities
Ubuntu USN	USN-7512-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7516-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7516-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-7516-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7516-4	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7516-5	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7516-6	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7516-7	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7516-8	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7516-9	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7517-1	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7517-2	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7517-3	Linux kernel (BlueField) vulnerabilities
Ubuntu USN	USN-7518-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7521-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7521-2	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7521-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7539-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7540-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7593-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7602-1	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7640-1	Linux kernel (IoT) vulnerabilities
Ubuntu USN	USN-7651-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-2	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7651-4	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7651-5	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7651-6	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7652-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7653-1	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7737-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a
https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1
https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302
https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739
https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f
https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11
https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381
https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2025-21731-c18b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21731
https://www.cve.org/CVERecord?id=CVE-2025-21731

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Mon, 24 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11 https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 28 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2025-21731-c18b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21731 https://www.cve.org/CVERecord?id=CVE-2025-21731
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 27 Feb 2025 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 27 Feb 2025 02:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
Title		nbd: don't allow reconnect after disconnect
References		https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1 https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302 https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739 https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-27T02:07:35.927Z

Updated: 2026-05-11T21:05:20.600Z

Reserved: 2024-12-29T08:45:45.755Z

Link: CVE-2025-21731

Vulnrichment

Updated: 2025-11-03T19:36:36.130Z

NVD

Status : Modified

Published: 2025-02-27T02:15:16.833

Modified: 2025-11-03T20:17:13.173

Link: CVE-2025-21731

Redhat

Severity : Moderate

Publid Date: 2025-02-27T00:00:00Z

Links: CVE-2025-21731 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-416

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object