CVE-2025-21792 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt

If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release().

Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25_bind().

This bug leads to the following issue reported by Syzkaller:

================================================================ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: __refcount_dec include/linux/refcount.h:336 [inline]
refcount_dec include/linux/refcount.h:351 [inline]
ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4156 [inline]
netdev_put include/linux/netdevice.h:4173 [inline]
netdev_put include/linux/netdevice.h:4169 [inline]
ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 ... do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... ================================================================

Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability described in CVE-2025-21792 affects the Linux kernel's AX25 ( Amateur Radio AX.25 protocol) implementation and represents a classic reference count leak scenario that can lead to memory exhaustion and system instability. This issue specifically occurs within the ax25_release() function when a socket is bound to an AX25 device using the SO_BINDTODEVICE socket option. The problem manifests as a refcount_t decrement hitting zero, which triggers a memory leak warning and indicates that network device references are not being properly managed. The vulnerability is particularly concerning because it operates at the kernel level and can be exploited through socket operations that are commonly used in network programming, making it a potential vector for denial-of-service attacks or resource exhaustion.

The technical flaw stems from an incomplete implementation of the socket option handling mechanism within the AX25 subsystem. When an AX25 device is bound to a socket through the SO_BINDTODEVICE socket option, the code fails to increment the reference count of the network device, while the ax25_bind() function properly handles this increment. This asymmetry creates a scenario where the ax25_release() function attempts to decrement reference counts that were never incremented, leading to the refcount leak. The issue is further exacerbated by the fact that the fix in commit 9fd75b66b8f6 addressed similar problems in ax25_cb_del() but did not account for the specific case of SO_BINDTODEVICE usage. This inconsistency in reference counting demonstrates a failure in the kernel's resource management framework and represents a violation of proper resource lifecycle management principles that are fundamental to kernel security.

The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system stability and availability. When the reference count reaches zero and cannot be decremented properly, the system generates warnings that indicate resource management failure, which can accumulate over time and lead to memory exhaustion. The reported Syzkaller trace shows the issue occurring during socket release operations, which are frequent in network applications, meaning that sustained exploitation could cause system degradation or crashes. From an ATT&CK perspective, this vulnerability could be leveraged as part of a denial-of-service attack (T1499.004) or as a stepping stone for more sophisticated attacks that exploit kernel memory management flaws. The vulnerability affects systems using the AX25 protocol stack, which includes amateur radio networks and specialized communication systems, making it relevant to both general computing environments and specialized networking infrastructure.

Mitigation strategies for this vulnerability must address both the immediate kernel-level fix and broader system hardening measures. The primary solution involves implementing proper reference counting in the ax25_setsockopt() function by ensuring that new devices bound through SO_BINDTODEVICE have their reference counts incremented and that old devices unbound have their reference counts decremented. This fix aligns with CWE-404, which addresses improper resource management, and specifically targets the improper handling of reference counting in kernel space. System administrators should prioritize applying the kernel patch that resolves this issue, as it represents a direct fix to the reference counting logic. Additionally, monitoring systems for memory-related warnings and implementing resource limits on socket operations can help detect potential exploitation attempts. Network administrators should also consider implementing access controls and monitoring for AX25 protocol usage to prevent unauthorized access to systems that may be vulnerable to this type of resource exhaustion attack. The vulnerability demonstrates the importance of comprehensive testing of kernel socket option handling and proper reference counting mechanisms across all protocol implementations.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00213

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!