CVE-2025-21755 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

vsock: Orphan socket after transport release

During socket release, sock_orphan() is called without considering that it sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a null pointer dereferenced in virtio_transport_wait_close().

Orphan the socket only after transport release.

Partially reverts the 'Fixes:' commit.

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/07/2025

This vulnerability exists within the Linux kernel's virtual socket (vsock) implementation where a null pointer dereference occurs during socket cleanup operations. The flaw specifically manifests when a socket undergoes release processing and the sock_orphan() function is invoked without proper consideration of its side effects. The function sets the socket's wait queue pointer sk->sk_wq to NULL, which creates a dangerous race condition with subsequent operations that may attempt to access this now-null pointer. The vulnerability is particularly concerning because it occurs during the standard socket release lifecycle, making it exploitable through normal network operations that involve closing vsock connections.

The technical root cause stems from improper ordering of operations within the socket release sequence. When virtio_transport_release() is called as part of the socket cleanup process, it performs transport-specific release operations before the socket is properly orphaned. The sock_orphan() function, which is responsible for removing the socket from its original socket queue and preparing it for cleanup, sets sk->sk_wq to NULL. However, if SO_LINGER is enabled on the socket, the virtio_transport_wait_close() function later attempts to access this null pointer, resulting in a kernel oops or potential system crash. This null pointer dereference occurs at the memory address range 0x0000000000000018-0x000000000000001f, indicating a classic null pointer access pattern that would be flagged by kernel memory safety mechanisms like KASAN.

The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential denial of service condition that could be exploited by malicious actors. An attacker could potentially trigger this vulnerability by establishing vsock connections with SO_LINGER enabled and then closing them in a specific sequence. The vulnerability affects systems running Linux kernels that implement the vsock transport layer, particularly those utilizing virtio-based virtualization environments where vsock functionality is actively used. The flaw demonstrates a classic violation of proper resource management principles where the order of operations creates a temporal dependency that leads to undefined behavior. This issue aligns with CWE-476 which addresses null pointer dereference vulnerabilities, and could potentially be leveraged in attack scenarios that target kernel stability.

The fix for this vulnerability requires reordering the socket release operations to ensure that transport release occurs before socket orphaning. This approach directly addresses the temporal dependency that causes the null pointer dereference by ensuring that all transport-specific cleanup operations complete before the socket's wait queue pointer is set to NULL. The solution involves modifying the socket release sequence in virtio_transport_release() to properly sequence the operations, preventing the premature nullification of the socket's wait queue pointer. This fix partially reverts a previous commit that attempted to address a similar issue but introduced this new vulnerability through incorrect ordering. The mitigation strategy aligns with standard kernel security practices that emphasize proper resource management and temporal ordering of operations, and would be classified under the ATT&CK technique T1499.004 for network denial of service attacks. System administrators should prioritize applying kernel updates that contain this fix, particularly in virtualized environments where vsock functionality is actively utilized, as the vulnerability could be exploited to disrupt network services or cause system instability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!