{"vulnerability": "CVE-2025-21731", "sightings": [{"uuid": "6b965652-fb50-438c-8200-20d48505fd55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21731", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/5636", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-21731\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don't allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n nbd_genl_disconnect\n nbd_disconnect_and_put\n nbd_disconnect\n flush_workqueue(nbd->recv_workq)\n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n nbd_config_put\n -> due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n nbd_genl_reconfigure\n config = nbd_get_config_unlocked(nbd)\n if (!config)\n -> succeed\n if (!test_bit(NBD_RT_BOUND, ...))\n -> succeed\n nbd_reconnect_socket\n queue_work(nbd->recv_workq, &args->work)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n recv_work\n nbd_config_put(nbd)\n -> nbd_config is freed\n atomic_dec(&config->recv_threads)\n -> UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.\n\ud83d\udccf Published: 2025-02-27T02:07:35.927Z\n\ud83d\udccf Modified: 2025-02-27T02:07:35.927Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e\n2. https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f\n3. https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739\n4. https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302\n5. https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1", "creation_timestamp": "2025-02-27T02:25:18.000000Z"}, {"uuid": "4e3c47ad-2301-48bb-a142-e3170c1d7828", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21731", "type": "seen", "source": "https://t.me/cvedetector/18983", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2025-21731 - \"Linux NBD Uninitialized Pointer Dereference\"\", \n \"Content\": \"CVE ID : CVE-2025-21731 \nPublished : Feb. 27, 2025, 2:15 a.m. | 50\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnbd: don't allow reconnect after disconnect \n \nFollowing process can cause nbd_config UAF: \n \n1) grab nbd_config temporarily; \n \n2) nbd_genl_disconnect() flush all recv_work() and release the \ninitial reference: \n \n nbd_genl_disconnect \n nbd_disconnect_and_put \n nbd_disconnect \n flush_workqueue(nbd->recv_workq) \n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) \n nbd_config_put \n -> due to step 1), reference is still not zero \n \n3) nbd_genl_reconfigure() queue recv_work() again; \n \n nbd_genl_reconfigure \n config = nbd_get_config_unlocked(nbd) \n if (!config) \n -> succeed \n if (!test_bit(NBD_RT_BOUND, ...)) \n -> succeed \n nbd_reconnect_socket \n queue_work(nbd->recv_workq, &args->work) \n \n4) step 1) release the reference; \n \n5) Finially, recv_work() will trigger UAF: \n \n recv_work \n nbd_config_put(nbd) \n -> nbd_config is freed \n atomic_dec(&config->recv_threads) \n -> UAF \n \nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so \nthat nbd_genl_reconfigure() will fail. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"27 Feb 2025\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-27T04:30:18.000000Z"}]}