Description
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux | unaffected |
|
|||||||||||||||||||||||||||||||||
| Linux | Linux | affected |
|
No data.
No data.
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-4475-1 | linux security update |
| Debian DLA |
DLA-4476-1 | linux-6.1 security update |
 Debian DSA |
DSA-6127-1 | linux security update |
 Ubuntu USN |
USN-8094-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8096-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8096-2 | Linux kernel (FIPS) vulnerabilities |
| Ubuntu USN |
USN-8094-2 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8096-3 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8096-4 | Linux kernel (Real-time) vulnerabilities |
| Ubuntu USN |
USN-8096-5 | Linux kernel (NVIDIA Tegra IGX) vulnerabilities |
| Ubuntu USN |
USN-8116-1 | Linux kernel (Intel IoTG Real-time) vulnerabilities |
| Ubuntu USN |
USN-8094-3 | Linux kernel (Real-time) vulnerabilities |
| Ubuntu USN |
USN-8094-4 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-8094-5 | Linux kernel (Raspberry Pi) vulnerabilities |
| Ubuntu USN |
USN-8141-1 | Linux kernel (Raspberry Pi) vulnerabilities |
| Ubuntu USN |
USN-8152-1 | Linux kernel (OEM) vulnerabilities |
| Ubuntu USN |
USN-8163-1 | Linux kernel (Azure FIPS) vulnerabilities |
| Ubuntu USN |
USN-8163-2 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-8179-1 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8184-1 | Linux kernel (Real-time) vulnerabilities |
| Ubuntu USN |
USN-8179-2 | Linux kernel (FIPS) vulnerabilities |
| Ubuntu USN |
USN-8185-1 | Linux kernel (NVIDIA) vulnerabilities |
| Ubuntu USN |
USN-8179-3 | Linux kernel vulnerabilities |
| Ubuntu USN |
USN-8203-1 | Linux kernel (Oracle) vulnerabilities |
| Ubuntu USN |
USN-8204-1 | Linux kernel (Raspberry Pi Real-time) vulnerabilities |
| Ubuntu USN |
USN-8185-2 | Linux kernel (Low Latency NVIDIA) vulnerabilities |
| Ubuntu USN |
USN-8179-4 | Linux kernel (GCP) vulnerabilities |
| Ubuntu USN |
USN-8243-1 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-8258-1 | Linux kernel (Azure) vulnerabilities |
| Ubuntu USN |
USN-8260-1 | Linux kernel (Azure FIPS) vulnerabilities |
| Ubuntu USN |
USN-8261-1 | Linux kernel (Xilinx) vulnerabilities |
| Ubuntu USN |
USN-8265-1 | Linux kernel (NVIDIA Tegra) vulnerabilities |
References
History
Mon, 19 Jan 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Sun, 11 Jan 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Fri, 26 Dec 2025 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Wed, 24 Dec 2025 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } | |
| Title | nbd: defer config unlock in nbd_genl_connect | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-05-11T21:51:48.993Z
Reserved: 2025-12-16T14:48:05.308Z
Link: CVE-2025-68366
Vulnrichment
No data.
NVD
Status : Deferred
Published: 2025-12-24T11:16:00.163
Modified: 2026-04-15T00:35:42.020
Link: CVE-2025-68366
Redhat
OpenCVE Enrichment
No data.
Weaknesses
No weakness.