{"uuid": "6b965652-fb50-438c-8200-20d48505fd55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21731", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/5636", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-21731\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don't allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n nbd_genl_disconnect\n nbd_disconnect_and_put\n nbd_disconnect\n flush_workqueue(nbd->recv_workq)\n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n nbd_config_put\n -> due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n nbd_genl_reconfigure\n config = nbd_get_config_unlocked(nbd)\n if (!config)\n -> succeed\n if (!test_bit(NBD_RT_BOUND, ...))\n -> succeed\n nbd_reconnect_socket\n queue_work(nbd->recv_workq, &args->work)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n recv_work\n nbd_config_put(nbd)\n -> nbd_config is freed\n atomic_dec(&config->recv_threads)\n -> UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.\n\ud83d\udccf Published: 2025-02-27T02:07:35.927Z\n\ud83d\udccf Modified: 2025-02-27T02:07:35.927Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e\n2. https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f\n3. https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739\n4. https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302\n5. https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1", "creation_timestamp": "2025-02-27T02:25:18.000000Z"}