CVE-2025-22109: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (net/ax25/ax25_route.c:428) ax25_connect (net/ax25/af_ax25.c:1282) __sys_connect_file (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64_sys_connect (net/socket.c:2067) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) ================================================================ When socket is bound, refcounts must be incremented the way it is done in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented. This bug leads to the following issue reported by Syzkaller: ================================================================ ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4302 [inline] netdev_put include/linux/netdevice.h:4319 [inline] ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080 __sock_release net/socket.c:647 [inline] sock_close+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __do_sys_close fs/open.c:1580 [inline] __se_sys_close fs/open.c:1565 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs. Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2025-22109 is a vulnerability identified in the Linux kernel's AX.25 protocol implementation, specifically related to the 'autobind' feature used when binding AX.25 sockets. AX.25 is a network protocol primarily used in amateur radio communications. The vulnerability arises because the autobind feature improperly manages memory and reference counts during socket connection and release operations. When an AX.25 socket is bound using autobind, it leads to memory leaks in the ax25_connect() function and reference count leaks in ax25_release(). This was detected using the kernel memory leak detector (kmemleak) and further confirmed by the Syzkaller fuzzing tool, which reported refcount decrement errors and memory leaks. The root cause is that the autobind feature does not increment reference counts correctly, unlike the standard binding methods (ax25_bind() and ax25_setsockopt() with SO_BINDTODEVICE). The Linux kernel developers have decided to remove the autobind feature entirely rather than fix it, as it is inherently broken and leads to various memory management bugs. Consequently, calling connect() without explicitly binding the socket will now return an error (-EINVAL). While this change may break some userspace applications relying on autobind, such usage is reportedly rare and not supported by common AX.25 tools like ax25-tools and ax25-apps. The vulnerability does not appear to be exploited in the wild and affects Linux kernel versions prior to the patch. No CVSS score has been assigned yet. The issue was discovered by the Linux Verification Center using Syzkaller.
Potential Impact
The primary impact of this vulnerability is a memory leak and reference count mismanagement in the Linux kernel's AX.25 networking stack. While this does not directly lead to remote code execution or privilege escalation, the memory leaks can degrade system stability and potentially lead to denial of service (DoS) conditions on affected systems, especially those heavily utilizing AX.25 networking. For European organizations, the impact is likely limited to niche environments where AX.25 is used, such as amateur radio operators, emergency communication networks, or specialized industrial or research setups that rely on AX.25. The removal of the autobind feature may cause compatibility issues with legacy or custom software that implicitly depends on this feature, potentially disrupting operations until software is updated to explicitly bind sockets. However, since the feature was unreliable and rarely used, widespread operational impact is expected to be minimal. The vulnerability does not appear to expose confidentiality or integrity risks directly. The lack of known exploits in the wild further reduces immediate risk. Nonetheless, organizations running Linux kernels with AX.25 support should be aware of potential stability issues and ensure their software is compatible with the updated kernel behavior.
Mitigation Recommendations
1. Upgrade Linux kernels to versions where the autobind feature has been removed and this vulnerability fixed. This is the most effective mitigation. 2. Audit and update any userspace applications or custom software that use AX.25 sockets to explicitly bind sockets before calling connect(), as autobind is no longer supported. 3. For organizations using AX.25 in production or critical environments, conduct thorough testing of communication software against updated kernels to identify and resolve any compatibility issues. 4. Monitor system logs for memory leak warnings or refcount errors related to AX.25 sockets to detect potential residual issues. 5. If AX.25 is not used, consider disabling the AX.25 kernel module to reduce attack surface and avoid unnecessary kernel code execution. 6. Engage with Linux distribution maintainers to ensure timely deployment of patches and updates related to this vulnerability. 7. For environments where kernel upgrades are delayed, consider backporting patches or applying kernel-level workarounds to prevent autobind usage.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium
CVE-2025-22109: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (net/ax25/ax25_route.c:428) ax25_connect (net/ax25/af_ax25.c:1282) __sys_connect_file (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64_sys_connect (net/socket.c:2067) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) ================================================================ When socket is bound, refcounts must be incremented the way it is done in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented. This bug leads to the following issue reported by Syzkaller: ================================================================ ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4302 [inline] netdev_put include/linux/netdevice.h:4319 [inline] ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080 __sock_release net/socket.c:647 [inline] sock_close+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __do_sys_close fs/open.c:1580 [inline] __se_sys_close fs/open.c:1565 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs. Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2025-22109 is a vulnerability identified in the Linux kernel's AX.25 protocol implementation, specifically related to the 'autobind' feature used when binding AX.25 sockets. AX.25 is a network protocol primarily used in amateur radio communications. The vulnerability arises because the autobind feature improperly manages memory and reference counts during socket connection and release operations. When an AX.25 socket is bound using autobind, it leads to memory leaks in the ax25_connect() function and reference count leaks in ax25_release(). This was detected using the kernel memory leak detector (kmemleak) and further confirmed by the Syzkaller fuzzing tool, which reported refcount decrement errors and memory leaks. The root cause is that the autobind feature does not increment reference counts correctly, unlike the standard binding methods (ax25_bind() and ax25_setsockopt() with SO_BINDTODEVICE). The Linux kernel developers have decided to remove the autobind feature entirely rather than fix it, as it is inherently broken and leads to various memory management bugs. Consequently, calling connect() without explicitly binding the socket will now return an error (-EINVAL). While this change may break some userspace applications relying on autobind, such usage is reportedly rare and not supported by common AX.25 tools like ax25-tools and ax25-apps. The vulnerability does not appear to be exploited in the wild and affects Linux kernel versions prior to the patch. No CVSS score has been assigned yet. The issue was discovered by the Linux Verification Center using Syzkaller.
Potential Impact
The primary impact of this vulnerability is a memory leak and reference count mismanagement in the Linux kernel's AX.25 networking stack. While this does not directly lead to remote code execution or privilege escalation, the memory leaks can degrade system stability and potentially lead to denial of service (DoS) conditions on affected systems, especially those heavily utilizing AX.25 networking. For European organizations, the impact is likely limited to niche environments where AX.25 is used, such as amateur radio operators, emergency communication networks, or specialized industrial or research setups that rely on AX.25. The removal of the autobind feature may cause compatibility issues with legacy or custom software that implicitly depends on this feature, potentially disrupting operations until software is updated to explicitly bind sockets. However, since the feature was unreliable and rarely used, widespread operational impact is expected to be minimal. The vulnerability does not appear to expose confidentiality or integrity risks directly. The lack of known exploits in the wild further reduces immediate risk. Nonetheless, organizations running Linux kernels with AX.25 support should be aware of potential stability issues and ensure their software is compatible with the updated kernel behavior.
Mitigation Recommendations
1. Upgrade Linux kernels to versions where the autobind feature has been removed and this vulnerability fixed. This is the most effective mitigation. 2. Audit and update any userspace applications or custom software that use AX.25 sockets to explicitly bind sockets before calling connect(), as autobind is no longer supported. 3. For organizations using AX.25 in production or critical environments, conduct thorough testing of communication software against updated kernels to identify and resolve any compatibility issues. 4. Monitor system logs for memory leak warnings or refcount errors related to AX.25 sockets to detect potential residual issues. 5. If AX.25 is not used, consider disabling the AX.25 kernel module to reduce attack surface and avoid unnecessary kernel code execution. 6. Engage with Linux distribution maintainers to ensure timely deployment of patches and updates related to this vulnerability. 7. For environments where kernel upgrades are delayed, consider backporting patches or applying kernel-level workarounds to prevent autobind usage.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.820Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8166
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:26:14 PM
Last updated: 8/18/2025, 11:32:38 PM
Views: 13
Related Threats
CVE-2025-43758: CWE-552 Files or Directories Accessible to External Parties in Liferay Portal
MediumCVE-2025-52287: n/a
HighCVE-2025-55581: n/a
HighCVE-2025-52085: n/a
HighCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.