CVE-2025-68366 (GCVE-0-2025-68366)
Vulnerability from cvelistv5
Published
2025-12-24 10:32
Modified
2025-12-24 10:32
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); }
References
Impacted products
Vendor Product Version
Linux Linux Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099
Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099
Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099
Version: e46c7287b1c27683a8e30ca825fb98e2b97f1099
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c9b99c948b4fb014812afe7b5ccf2db121d22e46",
              "status": "affected",
              "version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
              "versionType": "git"
            },
            {
              "lessThan": "9a38306643874566d20f7aba7dff9e6f657b51a9",
              "status": "affected",
              "version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
              "versionType": "git"
            },
            {
              "lessThan": "c9e805f6a35d1dd189a9345595a5c20e87611942",
              "status": "affected",
              "version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
              "versionType": "git"
            },
            {
              "lessThan": "1649714b930f9ea6233ce0810ba885999da3b5d4",
              "status": "affected",
              "version": "e46c7287b1c27683a8e30ca825fb98e2b97f1099",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n  nbd_alloc_and_init_config // config_refs=1\n  nbd_start_device // config_refs=2\n  set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n  recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n  refcount_inc -\u003e uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\n\n        mutex_unlock(\u0026nbd-\u003econfig_lock);\n        if (!ret) {\n                set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\n+               printk(\"before sleep\\n\");\n+               mdelay(5 * 1000);\n+               printk(\"after sleep\\n\");\n                refcount_inc(\u0026nbd-\u003econfig_refs);\n                nbd_connect_reply(info, nbd-\u003eindex);\n        }"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:32:53.399Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942"
        },
        {
          "url": "https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4"
        }
      ],
      "title": "nbd: defer config unlock in nbd_genl_connect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68366",
    "datePublished": "2025-12-24T10:32:53.399Z",
    "dateReserved": "2025-12-16T14:48:05.308Z",
    "dateUpdated": "2025-12-24T10:32:53.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68366\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:16:00.163\",\"lastModified\":\"2025-12-24T11:16:00.163\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: defer config unlock in nbd_genl_connect\\n\\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\\nNBD_CLEAR_SOCK:\\n\\nnbd_genl_connect\\n  nbd_alloc_and_init_config // config_refs=1\\n  nbd_start_device // config_refs=2\\n  set NBD_RT_HAS_CONFIG_REF\\t\\t\\topen nbd // config_refs=3\\n  recv_work done // config_refs=2\\n\\t\\t\\t\\t\\t\\tNBD_CLEAR_SOCK // config_refs=1\\n\\t\\t\\t\\t\\t\\tclose nbd // config_refs=0\\n  refcount_inc -\u003e uaf\\n\\n------------[ cut here ]------------\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\\n nbd_genl_connect+0x16d0/0x1ab0\\n genl_family_rcv_msg_doit+0x1f3/0x310\\n genl_rcv_msg+0x44a/0x790\\n\\nThe issue can be easily reproduced by adding a small delay before\\nrefcount_inc(\u0026nbd-\u003econfig_refs) in nbd_genl_connect():\\n\\n        mutex_unlock(\u0026nbd-\u003econfig_lock);\\n        if (!ret) {\\n                set_bit(NBD_RT_HAS_CONFIG_REF, \u0026config-\u003eruntime_flags);\\n+               printk(\\\"before sleep\\\\n\\\");\\n+               mdelay(5 * 1000);\\n+               printk(\\\"after sleep\\\\n\\\");\\n                refcount_inc(\u0026nbd-\u003econfig_refs);\\n                nbd_connect_reply(info, nbd-\u003eindex);\\n        }\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.