CVE-2025-21731 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the initial reference:

nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21731 represents a use-after-free condition within the Linux kernel's network block device (NBD) subsystem that stems from improper handling of configuration references during disconnect and reconnect operations. This flaw manifests when the NBD driver processes a sequence of disconnect and reconfigure commands that create a race condition allowing a freed memory structure to be accessed after it has been released. The issue occurs specifically within the nbd_config data structure which manages the configuration state of NBD devices and is subject to concurrent access patterns that can lead to memory safety violations.

The technical implementation of this vulnerability exploits a temporal gap in the reference counting mechanism of the NBD subsystem. When nbd_genl_disconnect() is invoked, it attempts to flush all pending recv_work() operations and releases the initial reference to nbd_config through nbd_config_put(). However, the process fails to clear the NBD_RT_BOUND bit before proceeding with the reference release, which allows subsequent calls to nbd_genl_reconfigure() to successfully queue new recv_work() operations even while the configuration structure is in the process of being freed. This creates a window where the nbd_config structure can be freed while still being referenced by queued work items.

The operational impact of this vulnerability extends beyond simple memory corruption as it enables potential privilege escalation and system instability. Attackers can leverage this use-after-free condition to execute arbitrary code within kernel space, potentially gaining full system control or causing denial of service through system crashes. The vulnerability is particularly concerning because it affects the core network block device functionality that allows remote storage access, making it exploitable in scenarios involving network-based storage protocols. This aligns with CWE-416, which describes the use of freed memory condition, and represents a classic example of improper resource management in kernel space operations.

The fix implemented addresses the root cause by ensuring that the NBD_RT_BOUND bit is cleared within nbd_genl_disconnect() before releasing references to the configuration structure. This prevents nbd_genl_reconfigure() from successfully queuing new recv_work() operations when a disconnect is in progress, thereby eliminating the race condition that leads to the use-after-free scenario. The mitigation strategy follows established kernel security practices for preventing concurrent access violations and aligns with ATT&CK technique T1068, which covers exploiting privileges through kernel vulnerabilities. Additionally, this vulnerability demonstrates the importance of proper synchronization mechanisms in kernel drivers and highlights the need for careful reference counting in multi-threaded environments where shared resources are accessed through asynchronous work queues.

The broader implications of this vulnerability underscore the critical nature of kernel security in modern computing environments where network block devices are commonly used for storage virtualization and remote data access. Systems utilizing NBD functionality for storage provisioning are at risk from this flaw, particularly those that dynamically reconnect network storage devices or operate in high-concurrency environments where disconnect and reconnect operations occur frequently. The vulnerability serves as a reminder of the complex challenges inherent in kernel-level memory management and the critical importance of thorough testing of concurrent access patterns in security-sensitive subsystems. The fix ensures that the NBD subsystem properly enforces state transitions and prevents invalid operations during the disconnect process, thereby maintaining the integrity of kernel memory management and preventing potential exploitation through memory corruption attacks.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00204

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!