CVE-2025-22109 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

ax25: Remove broken autobind

Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak:

================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (net/ax25/ax25_route.c:428) ax25_connect (net/ax25/af_ax25.c:1282) __sys_connect_file (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64_sys_connect (net/socket.c:2067) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) ================================================================

When socket is bound, refcounts must be incremented the way it is done in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented.

This bug leads to the following issue reported by Syzkaller:

================================================================ ax25_connect(): syz-executor318 uses autobind, please contact [email protected] ------------[ cut here ]------------
refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: __refcount_dec include/linux/refcount.h:336 [inline]
refcount_dec include/linux/refcount.h:351 [inline]
ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4302 [inline]
netdev_put include/linux/netdevice.h:4319 [inline]
ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080 __sock_release net/socket.c:647 [inline]
sock_close+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __do_sys_close fs/open.c:1580 [inline]
__se_sys_close fs/open.c:1565 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... ================================================================

Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs.

Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22109 affects the Linux kernel's AX25 networking protocol implementation, specifically targeting the autobind functionality within the ax25_connect() function. This issue manifests as both memory leaks and reference count leaks that occur when sockets attempt to bind automatically during connection operations. The vulnerability was identified through kmemleak analysis which detected unreferenced objects of 96 bytes in size, with backtrace information pointing directly to the ax25_rt_autobind function within net/ax25/ax25_route.c. The root cause stems from improper reference counting mechanisms that fail to increment refcounts during autobind operations, leading to resource management failures. According to CWE-401, this represents a classic memory leak scenario where allocated kernel memory becomes unreferenced and cannot be properly freed, while the reference count issues align with CWE-691, indicating insufficient reference counting that can lead to use-after-free conditions.

The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially destabilize kernel operations through reference count saturation errors. When the ax25_release() function executes, it encounters refcount_t decrement operations that hit zero, triggering warnings in lib/refcount.c and ultimately causing memory leaks as indicated by the syzkaller report. The kernel's reference tracking system detects these issues and generates warnings that can indicate deeper system instability. This vulnerability operates within the context of the ATT&CK framework's T1059.006 technique for kernel-level code execution and memory manipulation, as the improper reference counting can lead to memory corruption that might be exploited. The bug's behavior is consistent with T1547.001 for kernel module manipulation and T1059.001 for system command execution through kernel interfaces, as malicious actors could potentially leverage these memory management flaws to cause system crashes or resource exhaustion.

The recommended mitigation strategy involves completely removing the broken autobind feature from the AX25 implementation rather than attempting to patch the reference counting issues. This approach aligns with the kernel development decision-making process where broken features that cannot be reliably fixed are removed entirely. The solution requires modifying the ax25_connect() function to return -EINVAL when called without a prior explicit bind operation, effectively disabling the autobind capability. This change ensures that userspace applications must explicitly bind AX25 sockets before attempting connections, which is the proper behavior according to standard socket programming practices. The removal of this feature also addresses the broader security principle of least privilege by eliminating a potentially exploitable code path. Since the autobind feature was already considered broken according to code comments and was not widely used in existing AX25 implementations, this change should not significantly impact legitimate userspace applications. The ax25-tools and ax25-apps packages in popular distributions already avoid using this functionality, making the removal a safe operation that improves overall system stability and security posture. The fix directly addresses the kernel's memory management requirements and prevents the exploitation of reference counting vulnerabilities that could lead to denial of service conditions or system instability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00140

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!