CVE-2025-40214 (GCVE-0-2025-40214)
Vulnerability from cvelistv5
Published
2025-12-04 12:38
Modified
2025-12-06 21:38
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.
References
Impacted products
Vendor Product Version
Linux Linux Version: adfb68b39b39767d6bfb53e48c4f19c183765686
Version: d23802221f6755e104606864067c71af8cdb6788
Version: ad081928a8b0f57f269df999a28087fce6f2b6ce
Version: ad081928a8b0f57f269df999a28087fce6f2b6ce
Version: ad081928a8b0f57f269df999a28087fce6f2b6ce
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "20003fbb9174121b27bd1da6ebe61542ac4c327d",
              "status": "affected",
              "version": "adfb68b39b39767d6bfb53e48c4f19c183765686",
              "versionType": "git"
            },
            {
              "lessThan": "4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3",
              "status": "affected",
              "version": "d23802221f6755e104606864067c71af8cdb6788",
              "versionType": "git"
            },
            {
              "lessThan": "db81ad20fd8aef7cc7d536c52ee5ea4c1f979128",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            },
            {
              "lessThan": "1aa7e40ee850c9053e769957ce6541173891204d",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            },
            {
              "lessThan": "60e6489f8e3b086bd1130ad4450a2c112e863791",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n  1)\n    1-a. Create a single cyclic reference with many sockets\n    1-b. close() all sockets\n    1-c. Trigger GC\n\n  2)\n    2-a. Pass sk-A to an embryo sk-B\n    2-b. Pass sk-X to sk-X\n    2-c. Trigger GC\n\n  3)\n    3-a. accept() the embryo sk-B\n    3-b. Pass sk-B to sk-C\n    3-c. close() the in-flight sk-A\n    3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n  unix_sk(sk-A)-\u003evertex-\u003escc_index = 2 (UNIX_VERTEX_INDEX_START)\n  unix_sk(sk-X)-\u003evertex-\u003escc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X\u0027s\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)-\u003evertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B\u0027s listener and sk-C are not in-flight.\n\n3-c decrements sk-A\u0027s file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n  sk-A -\u003e sk-B (-\u003e sk-C)\n  sk-X -\u003e sk-X\n\nThis is totally fine.  All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n  unix_sk(sk-A)-\u003escc_index == unix_sk(sk-B)-\u003escc_index \u003c-- Wrong!\n  \u0026\u0026\n  sk-A\u0027s file refcnt == unix_sk(sk-A)-\u003evertex-\u003eout_degree\n                                       ^-- 1 in-flight count for sk-B\n  -\u003e sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex-\u003escc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet\u0027s track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex\u0027s scc_index.\n\nThis way, we can continue to avoid Tarjan\u0027s algorithm while\npreventing misjudgments."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:44.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128"
        },
        {
          "url": "https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d"
        },
        {
          "url": "https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791"
        }
      ],
      "title": "af_unix: Initialise scc_index in unix_add_edge().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40214",
    "datePublished": "2025-12-04T12:38:31.601Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-06T21:38:44.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40214\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-04T13:15:48.157\",\"lastModified\":\"2025-12-06T22:15:52.513\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\naf_unix: Initialise scc_index in unix_add_edge().\\n\\nQuang Le reported that the AF_UNIX GC could garbage-collect a\\nreceive queue of an alive in-flight socket, with a nice repro.\\n\\nThe repro consists of three stages.\\n\\n  1)\\n    1-a. Create a single cyclic reference with many sockets\\n    1-b. close() all sockets\\n    1-c. Trigger GC\\n\\n  2)\\n    2-a. Pass sk-A to an embryo sk-B\\n    2-b. Pass sk-X to sk-X\\n    2-c. Trigger GC\\n\\n  3)\\n    3-a. accept() the embryo sk-B\\n    3-b. Pass sk-B to sk-C\\n    3-c. close() the in-flight sk-A\\n    3-d. Trigger GC\\n\\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\\nand unix_walk_scc() groups them into two different SCCs:\\n\\n  unix_sk(sk-A)-\u003evertex-\u003escc_index = 2 (UNIX_VERTEX_INDEX_START)\\n  unix_sk(sk-X)-\u003evertex-\u003escc_index = 3\\n\\nOnce GC completes, unix_graph_grouped is set to true.\\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X\u0027s\\ncyclic self-reference, which makes close() trigger GC.\\n\\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)-\u003evertex and\\nlinks it to unix_unvisited_vertices.\\n\\nunix_update_graph() is called at 3-a. and 3-b., but neither\\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\\nbecause both sk-B\u0027s listener and sk-C are not in-flight.\\n\\n3-c decrements sk-A\u0027s file refcnt to 1.\\n\\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\\n\\n  sk-A -\u003e sk-B (-\u003e sk-C)\\n  sk-X -\u003e sk-X\\n\\nThis is totally fine.  All of them are not yet close()d and\\nshould be grouped into different SCCs.\\n\\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\\nin the same SCC and sk-A is dead.\\n\\n  unix_sk(sk-A)-\u003escc_index == unix_sk(sk-B)-\u003escc_index \u003c-- Wrong!\\n  \u0026\u0026\\n  sk-A\u0027s file refcnt == unix_sk(sk-A)-\u003evertex-\u003eout_degree\\n                                       ^-- 1 in-flight count for sk-B\\n  -\u003e sk-A is dead !?\\n\\nThe problem is that unix_add_edge() does not initialise scc_index.\\n\\nStage 1) is used for heap spraying, making a newly allocated\\nvertex have vertex-\u003escc_index == 2 (UNIX_VERTEX_INDEX_START)\\nset by unix_walk_scc() at 1-c.\\n\\nLet\u0027s track the max SCC index from the previous unix_walk_scc()\\ncall and assign the max + 1 to a new vertex\u0027s scc_index.\\n\\nThis way, we can continue to avoid Tarjan\u0027s algorithm while\\npreventing misjudgments.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.