CVE-2025-21666: Linux Kernel vsock Null Pointer Dereference Vulnerability Patched

In recent times, there have been reports of a vulnerability in the Linux kernel concerning the vsock (Virtual Socket) subsystem, specifically related to the vsock_*[has_data|has_space] functions. This CVE-2025-21666 vulnerability has now been resolved and patches have been applied to minimize the risk of null pointer dereference (null-ptr-deref) issues within the kernel.

The Issue

The use of vsock when no transport was assigned to a vsock socket caused null-ptr-deref issues. This could potentially allow malicious attackers to compromise the targeted system and cause unexpected behavior within the Linux kernel. The problem has occurred because the vsock function has been called when it has been de-assigned from a transport.

A code snippet demonstrating the issue can be seen below

static bool vsock_stream_has_data(struct vsock_sock *vsk)
{
    if (!vsk->transport)
        return false;
    return vsk->transport->init[vsk->local_addr.svm_cid].ops->stream_has_data(vsk);
}

Likewise, a similar issue has been identified within the vsock_*_has_space functions, further detailing the vulnerability.

The Solution

The solution to this vulnerability is to return (signifying no space or data available) alongside a warning message in cases where the vsock_*[has_data|has_space] functions are called when the vsock socket has been de-assigned from a transport. This not only keeps the code running in an almost consistent state but also provides us with warning messages to debug future problems.

static bool vsock_stream_has_data(struct vsock_sock *vsk)
{
    if (!vsk->transport) {
        pr_warn_once("%s: called with NULL transport\n", __func__);
        return false;
    }
    return vsk->transport->init[vsk->local_addr.svm_cid].ops->stream_has_data(vsk);
}

To learn more about this vulnerability, fix, and related discussions, please follow the links below

- Linux Kernel Mailing List (LKML) discussion
- Linux Kernel Commit

Exploit Details

As of now, there have been no recorded instances of this vulnerability being exploited in the wild. However, users are strongly encouraged to update their Linux kernel to the latest version to ensure protection against any potential exploitation.

In conclusion, the CVE-2025-21666 vulnerability has now been patched in the Linux kernel, safeguarding affected systems against potential null-ptr-deref issues in the vsock_*[has_data|has_space] functions. Users are advised to update their Linux kernel to the most recent version to mitigate the risk of similar vulnerabilities.

Timeline

Published on: 01/31/2025 12:15:27 UTC
Last modified on: 02/03/2025 19:59:37 UTC