CVE-2025-68372 (GCVE-0-2025-68372)
Vulnerability from cvelistv5
Published
2025-12-24 10:33
Modified
2025-12-24 10:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
References
Impacted products
Vendor Product Version
Linux Linux Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30
Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30
Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30
Version: 87aac3a80af5cbad93e63250e8a1e19095ba0d30
Version: 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8
Version: 2ef6f4bd60411934e3fc2715442c2afe70f84bf3
Version: 742fd49cf811ca164489e339b862e3fb8e240a73
Version: 14df8724aeeef338172e2a2d6efadc989921ca0f
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6b69593f72e1bfba6ca47ca8d9b619341fded7d6",
              "status": "affected",
              "version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
              "versionType": "git"
            },
            {
              "lessThan": "443a1721806b6ff6303b5229e9811d68172d622f",
              "status": "affected",
              "version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
              "versionType": "git"
            },
            {
              "lessThan": "742012f6bf29553fdc460bf646a58df3a7b43d01",
              "status": "affected",
              "version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
              "versionType": "git"
            },
            {
              "lessThan": "9517b82d8d422d426a988b213fdd45c6b417b86d",
              "status": "affected",
              "version": "87aac3a80af5cbad93e63250e8a1e19095ba0d30",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ef6f4bd60411934e3fc2715442c2afe70f84bf3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "742fd49cf811ca164489e339b862e3fb8e240a73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "14df8724aeeef338172e2a2d6efadc989921ca0f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.204",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.155",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.9.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n  nbd_genl_connect     // conf_ref=2 (connect and recv_work A)\n  nbd_open\t       // conf_ref=3\n  recv_work A done     // conf_ref=2\n  NBD_CLEAR_SOCK       // conf_ref=1\n  nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n  close nbd\t       // conf_ref=1\n  recv_work B\n    config_put         // conf_ref=0\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n  nbd_genl_connect   // conf_ref=2\n  nbd_open \t     // conf_ref=3\n  NBD_CLEAR_SOCK     // conf_ref=2\n  close nbd\n    nbd_release\n      config_put     // conf_ref=1\n  recv_work\n    config_put \t     // conf_ref=0\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n  connect  // nbd_refs=1 (trigger recv_work)\n  open nbd // nbd_refs=2\n  NBD_CLEAR_SOCK\n  close nbd\n    nbd_release\n      nbd_disconnect_and_put\n        flush_workqueue // recv_work done\n      nbd_config_put\n        nbd_put // nbd_refs=1\n      nbd_put // nbd_refs=0\n        queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n  connect  // nbd_refs=2 (trigger recv_work)\n  open nbd // nbd_refs=3\n  NBD_CLEAR_SOCK // conf_refs=2\n  close nbd\n    nbd_release\n      nbd_config_put // conf_refs=1\n      nbd_put // nbd_refs=2\n  recv_work done // conf_refs=0, nbd_refs=1\n  rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:33:02.679Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
        },
        {
          "url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
        },
        {
          "url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
        }
      ],
      "title": "nbd: defer config put in recv_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68372",
    "datePublished": "2025-12-24T10:33:02.679Z",
    "dateReserved": "2025-12-16T14:48:05.310Z",
    "dateUpdated": "2025-12-24T10:33:02.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68372\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:16:00.777\",\"lastModified\":\"2025-12-24T11:16:00.777\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnbd: defer config put in recv_work\\n\\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\\nNBD_CMD_RECONFIGURE:\\n  nbd_genl_connect     // conf_ref=2 (connect and recv_work A)\\n  nbd_open\\t       // conf_ref=3\\n  recv_work A done     // conf_ref=2\\n  NBD_CLEAR_SOCK       // conf_ref=1\\n  nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\\n  close nbd\\t       // conf_ref=1\\n  recv_work B\\n    config_put         // conf_ref=0\\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\\n\\nOr only running NBD_CLEAR_SOCK:\\n  nbd_genl_connect   // conf_ref=2\\n  nbd_open \\t     // conf_ref=3\\n  NBD_CLEAR_SOCK     // conf_ref=2\\n  close nbd\\n    nbd_release\\n      config_put     // conf_ref=1\\n  recv_work\\n    config_put \\t     // conf_ref=0\\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\\n\\nCommit 87aac3a80af5 (\\\"nbd: call nbd_config_put() before notifying the\\nwaiter\\\") moved nbd_config_put() to run before waking up the waiter in\\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\\nbe woken up while nbd-\u003etask_recv was still uncleared.\\n\\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\\ncalls flush_workqueue() to make sure all current works are finished.\\nTherefore, there is no need to move the config put ahead of the wakeup.\\n\\nMove nbd_config_put() to the end of recv_work, so that the reference is\\nheld for the whole lifetime of the worker thread. This makes sure the\\nconfig cannot be freed while recv_work is still running, even if clear\\n+ reconfigure interleave.\\n\\nIn addition, we don\u0027t need to worry about recv_work dropping the last\\nnbd_put (which causes deadlock):\\n\\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\\n  connect  // nbd_refs=1 (trigger recv_work)\\n  open nbd // nbd_refs=2\\n  NBD_CLEAR_SOCK\\n  close nbd\\n    nbd_release\\n      nbd_disconnect_and_put\\n        flush_workqueue // recv_work done\\n      nbd_config_put\\n        nbd_put // nbd_refs=1\\n      nbd_put // nbd_refs=0\\n        queue_work\\n\\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\\n  connect  // nbd_refs=2 (trigger recv_work)\\n  open nbd // nbd_refs=3\\n  NBD_CLEAR_SOCK // conf_refs=2\\n  close nbd\\n    nbd_release\\n      nbd_config_put // conf_refs=1\\n      nbd_put // nbd_refs=2\\n  recv_work done // conf_refs=0, nbd_refs=1\\n  rmmod // nbd_refs=0\\n\\nDepends-on: e2daec488c57 (\\\"nbd: Fix hungtask when nbd_config_put\\\")\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.