CVE-2025-21854: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX.
AI Analysis
Technical Summary
CVE-2025-21854 is a vulnerability identified in the Linux kernel's handling of vsock (virtual socket) connections within the sockmap subsystem. Sockmap is a kernel feature that allows efficient packet processing by using BPF (Berkeley Packet Filter) programs on socket data paths. The vulnerability arises from an edge case in the management of connectible vsocks, where a socket that is supposed to have an assigned transport protocol may lose this assignment unexpectedly. Specifically, the vsock_proto::psock_update_sk_prot() function is responsible for assigning transport to vsocks, but an unconnected connectible socket can lose its transport assignment. This leads to a scenario where a listening vsock, which by design should not have any transport assigned, might still be present in the sockmap due to a failed connect() attempt prior to switching to TCP_LISTEN state. This inconsistency causes a null pointer dereference in the kernel, as evidenced by the KASAN (Kernel Address Sanitizer) error logs showing a null pointer dereference in the vsock_read_skb() function. The flaw can cause kernel crashes (denial of service) or potentially enable further exploitation depending on the kernel's state and configuration. The fix involves modifying sockmap to only allow connectible sockets that represent established connections, aligning vsock behavior with that of AF_INET and AF_UNIX sockets, thereby preventing unconnected or listening sockets without proper transport from being included in sockmap. This vulnerability affects Linux kernel versions around 6.14.0-rc1 and likely other versions with similar sockmap and vsock implementations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize vsock and sockmap features, which are common in environments leveraging virtualization, containerization, and advanced networking setups. The impact includes potential kernel crashes leading to denial of service, which can disrupt critical services, especially in data centers, cloud providers, and enterprises relying on Linux-based infrastructure. While direct remote code execution is not indicated, the instability caused by kernel null pointer dereferences can be leveraged in chained attacks or cause significant operational disruptions. Organizations in sectors such as finance, telecommunications, and critical infrastructure that depend on high availability Linux servers could experience service outages or degraded performance. Additionally, since vsock is often used for communication between virtual machines and host systems, this vulnerability could affect virtualization platforms widely used in European data centers. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel code means that attackers with local access or the ability to trigger vsock connections could exploit it to cause denial of service or potentially escalate privileges.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically versions beyond 6.14.0-rc1 that include the fix restricting sockmap to only established connectible sockets. System administrators should audit their environments to identify systems running vulnerable kernel versions, especially those using virtualization or container platforms that leverage vsock communication. In environments where immediate patching is not feasible, organizations should restrict access to systems that can create vsock connections, limit untrusted user access, and monitor kernel logs for signs of null pointer dereference errors or crashes related to vsock operations. Additionally, disabling or limiting the use of sockmap and vsock features where not required can reduce the attack surface. Implementing kernel hardening techniques such as KASAN and enabling kernel crash dump analysis can help detect and respond to exploitation attempts. Coordination with Linux distribution vendors for timely patch deployment and testing is also recommended to ensure stability and security.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Italy, Spain
CVE-2025-21854: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX.
AI-Powered Analysis
Technical Analysis
CVE-2025-21854 is a vulnerability identified in the Linux kernel's handling of vsock (virtual socket) connections within the sockmap subsystem. Sockmap is a kernel feature that allows efficient packet processing by using BPF (Berkeley Packet Filter) programs on socket data paths. The vulnerability arises from an edge case in the management of connectible vsocks, where a socket that is supposed to have an assigned transport protocol may lose this assignment unexpectedly. Specifically, the vsock_proto::psock_update_sk_prot() function is responsible for assigning transport to vsocks, but an unconnected connectible socket can lose its transport assignment. This leads to a scenario where a listening vsock, which by design should not have any transport assigned, might still be present in the sockmap due to a failed connect() attempt prior to switching to TCP_LISTEN state. This inconsistency causes a null pointer dereference in the kernel, as evidenced by the KASAN (Kernel Address Sanitizer) error logs showing a null pointer dereference in the vsock_read_skb() function. The flaw can cause kernel crashes (denial of service) or potentially enable further exploitation depending on the kernel's state and configuration. The fix involves modifying sockmap to only allow connectible sockets that represent established connections, aligning vsock behavior with that of AF_INET and AF_UNIX sockets, thereby preventing unconnected or listening sockets without proper transport from being included in sockmap. This vulnerability affects Linux kernel versions around 6.14.0-rc1 and likely other versions with similar sockmap and vsock implementations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize vsock and sockmap features, which are common in environments leveraging virtualization, containerization, and advanced networking setups. The impact includes potential kernel crashes leading to denial of service, which can disrupt critical services, especially in data centers, cloud providers, and enterprises relying on Linux-based infrastructure. While direct remote code execution is not indicated, the instability caused by kernel null pointer dereferences can be leveraged in chained attacks or cause significant operational disruptions. Organizations in sectors such as finance, telecommunications, and critical infrastructure that depend on high availability Linux servers could experience service outages or degraded performance. Additionally, since vsock is often used for communication between virtual machines and host systems, this vulnerability could affect virtualization platforms widely used in European data centers. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel code means that attackers with local access or the ability to trigger vsock connections could exploit it to cause denial of service or potentially escalate privileges.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically versions beyond 6.14.0-rc1 that include the fix restricting sockmap to only established connectible sockets. System administrators should audit their environments to identify systems running vulnerable kernel versions, especially those using virtualization or container platforms that leverage vsock communication. In environments where immediate patching is not feasible, organizations should restrict access to systems that can create vsock connections, limit untrusted user access, and monitor kernel logs for signs of null pointer dereference errors or crashes related to vsock operations. Additionally, disabling or limiting the use of sockmap and vsock features where not required can reduce the attack surface. Implementing kernel hardening techniques such as KASAN and enabling kernel crash dump analysis can help detect and respond to exploitation attempts. Coordination with Linux distribution vendors for timely patch deployment and testing is also recommended to ensure stability and security.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.780Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe89fb
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 9:57:10 AM
Last updated: 8/14/2025, 4:44:16 AM
Views: 16
Related Threats
CVE-2025-43733: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.