CVE-2025-21854 in Linux
Summary
by MITRE • 03/12/2025
In the Linux kernel, the following vulnerability has been resolved:
sockmap, vsock: For connectible sockets allow only connected
sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path.
Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly:
KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]
CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30
For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/14/2025
The vulnerability CVE-2025-21854 resides within the Linux kernel's virtual socket (vsock) implementation and specifically affects the sockmap functionality that manages socket connections. This issue manifests when handling connectible sockets that may transition through different states during their lifecycle, creating inconsistencies in how transport protocols are assigned and validated. The root cause stems from an edge case where unconnected connectible sockets can lose their previously assigned transport, leading to potential null pointer dereferences when these sockets are processed by the sockmap subsystem.
The technical flaw occurs in the vsock/BPF receive path where a null check is performed to handle cases where a socket's transport has been removed, but this handling is insufficient for certain socket states. Specifically, when a socket transitions from a failed connect attempt to a listening state, it may retain a transport assignment that conflicts with sockmap's expectations. This creates a scenario where listening vsocks, which by design should not have transport assigned, end up in sockmap contexts where they trigger null pointer dereference exceptions. The kernel's KASAN (Kernel Address Sanitizer) detection confirms this issue with a null-ptr-deref error occurring at address range 0x0000000000000120-0x0000000000000127 during the vsock_read_skb function execution.
The operational impact of this vulnerability is significant as it can lead to kernel crashes and system instability when the affected code path is triggered. The crash occurs during the vsock_loopback_work processing, indicating that the vulnerability affects the kernel's virtual socket loopback mechanism and can potentially be exploited to cause denial of service attacks against systems running affected kernel versions. The call trace shows the execution flow leading to the crash through sk_psock_verdict_data_ready and virtio_transport_recv_pkt functions, demonstrating that this vulnerability affects the kernel's networking subsystem at a fundamental level.
This vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions in software systems, and represents a design inconsistency in socket state management that violates the principle of proper resource handling. The fix implemented addresses this by ensuring that sockmap only accepts sockets representing established connections, matching the behavior pattern used for AF_INET and AF_UNIX socket families. This approach eliminates the problematic edge case where listening sockets with transport assignments could cause null pointer dereferences. The mitigation strategy effectively restricts sockmap's acceptance criteria for vsock sockets to only those that have completed the connection establishment process, thereby preventing the invalid state transitions that lead to the crash condition. This solution follows the ATT&CK framework's approach to system exploitation prevention by addressing the root cause of socket state inconsistency rather than merely patching the symptom, ensuring that the kernel's socket management remains robust against malformed connection state transitions.