CVE-2025-21792: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25_bind(). This bug leads to the following issue reported by Syzkaller: ================================================================ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4156 [inline] netdev_put include/linux/netdevice.h:4173 [inline] netdev_put include/linux/netdevice.h:4169 [inline] ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 ... do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device.
AI Analysis
Technical Summary
CVE-2025-21792 is a vulnerability identified in the Linux kernel's AX.25 protocol implementation, specifically related to the handling of socket options for binding devices. The AX.25 protocol is primarily used in amateur packet radio networks, and the vulnerability arises from a reference count leak when an AX25 device is bound to a socket via the SO_BINDTODEVICE socket option. The root cause is that while the kernel correctly increments reference counts when binding a device through the ax25_bind() function, it fails to do so when binding via the SO_BINDTODEVICE socket option. This inconsistency leads to a reference count leak in the ax25_release() function, as the decrement operation assumes the reference count was incremented previously. The leak manifests as a decrement hitting zero prematurely, triggering warnings and causing memory to be leaked. This issue was detected by the Syzkaller fuzzing tool, which reported refcount saturation warnings and memory leaks during kernel execution. The fix involves modifying the ax25_setsockopt() implementation to properly increment the reference count for the newly bound device and decrement it for the previously bound device, ensuring balanced reference counting and preventing leaks. This vulnerability affects multiple versions of the Linux kernel, including recent commits prior to the fix. Although the AX.25 protocol is niche and primarily used in amateur radio contexts, the flaw resides in the kernel's network stack, which could have broader implications if exploited or triggered in environments where AX.25 is enabled or used.
Potential Impact
For European organizations, the direct impact of CVE-2025-21792 is likely limited due to the specialized nature of the AX.25 protocol, which is not commonly used in mainstream enterprise or industrial networks. However, organizations involved in amateur radio, emergency communication services, or specialized research institutions using AX.25 could experience memory leaks leading to resource exhaustion or degraded system stability on affected Linux systems. In a worst-case scenario, repeated exploitation or triggering of the leak could cause denial of service conditions by exhausting kernel memory resources, potentially impacting availability. Since the vulnerability involves kernel-level reference counting, it could also increase the attack surface for local privilege escalation if combined with other vulnerabilities, although no direct exploit is currently known. The vulnerability does not appear to allow remote code execution or direct compromise of confidentiality or integrity but may degrade system reliability. European organizations relying on Linux-based embedded systems or custom network stacks that incorporate AX.25 might also be at risk. Overall, the impact is moderate and mostly affects availability and system stability rather than data confidentiality or integrity.
Mitigation Recommendations
To mitigate CVE-2025-21792, affected organizations should promptly apply the Linux kernel patches that address the reference count leak in the AX.25 implementation. This involves updating to kernel versions that include the fix for ax25_setsockopt() to ensure proper reference count management. Organizations using custom or embedded Linux distributions should verify that their kernel versions incorporate this patch. Additionally, administrators should audit systems to identify any use of AX.25 devices or configurations that bind devices via SO_BINDTODEVICE socket options and consider disabling or restricting AX.25 usage if not required. Monitoring kernel logs for refcount warnings or memory leak indicators can help detect exploitation attempts or triggering of the vulnerability. For environments where AX.25 is critical, implementing resource limits and kernel memory monitoring can reduce the risk of denial of service due to leaks. Finally, maintaining a robust patch management process and subscribing to Linux kernel security advisories will ensure timely awareness and remediation of such vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium
CVE-2025-21792: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25_bind(). This bug leads to the following issue reported by Syzkaller: ================================================================ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4156 [inline] netdev_put include/linux/netdevice.h:4173 [inline] netdev_put include/linux/netdevice.h:4169 [inline] ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 ... do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device.
AI-Powered Analysis
Technical Analysis
CVE-2025-21792 is a vulnerability identified in the Linux kernel's AX.25 protocol implementation, specifically related to the handling of socket options for binding devices. The AX.25 protocol is primarily used in amateur packet radio networks, and the vulnerability arises from a reference count leak when an AX25 device is bound to a socket via the SO_BINDTODEVICE socket option. The root cause is that while the kernel correctly increments reference counts when binding a device through the ax25_bind() function, it fails to do so when binding via the SO_BINDTODEVICE socket option. This inconsistency leads to a reference count leak in the ax25_release() function, as the decrement operation assumes the reference count was incremented previously. The leak manifests as a decrement hitting zero prematurely, triggering warnings and causing memory to be leaked. This issue was detected by the Syzkaller fuzzing tool, which reported refcount saturation warnings and memory leaks during kernel execution. The fix involves modifying the ax25_setsockopt() implementation to properly increment the reference count for the newly bound device and decrement it for the previously bound device, ensuring balanced reference counting and preventing leaks. This vulnerability affects multiple versions of the Linux kernel, including recent commits prior to the fix. Although the AX.25 protocol is niche and primarily used in amateur radio contexts, the flaw resides in the kernel's network stack, which could have broader implications if exploited or triggered in environments where AX.25 is enabled or used.
Potential Impact
For European organizations, the direct impact of CVE-2025-21792 is likely limited due to the specialized nature of the AX.25 protocol, which is not commonly used in mainstream enterprise or industrial networks. However, organizations involved in amateur radio, emergency communication services, or specialized research institutions using AX.25 could experience memory leaks leading to resource exhaustion or degraded system stability on affected Linux systems. In a worst-case scenario, repeated exploitation or triggering of the leak could cause denial of service conditions by exhausting kernel memory resources, potentially impacting availability. Since the vulnerability involves kernel-level reference counting, it could also increase the attack surface for local privilege escalation if combined with other vulnerabilities, although no direct exploit is currently known. The vulnerability does not appear to allow remote code execution or direct compromise of confidentiality or integrity but may degrade system reliability. European organizations relying on Linux-based embedded systems or custom network stacks that incorporate AX.25 might also be at risk. Overall, the impact is moderate and mostly affects availability and system stability rather than data confidentiality or integrity.
Mitigation Recommendations
To mitigate CVE-2025-21792, affected organizations should promptly apply the Linux kernel patches that address the reference count leak in the AX.25 implementation. This involves updating to kernel versions that include the fix for ax25_setsockopt() to ensure proper reference count management. Organizations using custom or embedded Linux distributions should verify that their kernel versions incorporate this patch. Additionally, administrators should audit systems to identify any use of AX.25 devices or configurations that bind devices via SO_BINDTODEVICE socket options and consider disabling or restricting AX.25 usage if not required. Monitoring kernel logs for refcount warnings or memory leak indicators can help detect exploitation attempts or triggering of the vulnerability. For environments where AX.25 is critical, implementing resource limits and kernel memory monitoring can reduce the risk of denial of service due to leaks. Finally, maintaining a robust patch management process and subscribing to Linux kernel security advisories will ensure timely awareness and remediation of such vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.767Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd336
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:41:20 PM
Last updated: 8/15/2025, 9:09:43 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.