{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21670", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.735Z", "datePublished": "2025-01-31T11:25:33.874Z", "dateUpdated": "2025-01-31T11:25:33.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-31T11:25:33.874Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/bpf: return early if transport is not assigned\n\nSome of the core functions can only be called if the transport\nhas been assigned.\n\nAs Michal reported, a socket might have the transport at NULL,\nfor example after a failed connect(), causing the following trace:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+\n RIP: 0010:vsock_connectible_has_data+0x1f/0x40\n Call Trace:\n vsock_bpf_recvmsg+0xca/0x5e0\n sock_recvmsg+0xb9/0xc0\n __sys_recvfrom+0xb3/0x130\n __x64_sys_recvfrom+0x20/0x30\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSo we need to check the `vsk->transport` in vsock_bpf_recvmsg(),\nespecially for connected sockets (stream/seqpacket) as we already\ndo in __vsock_connectible_recvmsg()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/vsock_bpf.c"], "versions": [{"version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", "lessThan": "58e586c30d0b6f5dc0174a41026f2b0a48c9aab6", "status": "affected", "versionType": "git"}, {"version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", "lessThan": "6771e1279dadf1d92a72e1465134257d9e6f2459", "status": "affected", "versionType": "git"}, {"version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", "lessThan": "f6abafcd32f9cfc4b1a2f820ecea70773e26d423", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/vsock_bpf.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.74", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.11", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/58e586c30d0b6f5dc0174a41026f2b0a48c9aab6"}, {"url": "https://git.kernel.org/stable/c/6771e1279dadf1d92a72e1465134257d9e6f2459"}, {"url": "https://git.kernel.org/stable/c/f6abafcd32f9cfc4b1a2f820ecea70773e26d423"}], "title": "vsock/bpf: return early if transport is not assigned", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE232AC-5A0F-4273-8CB5-7767FDE5879E", "versionEndExcluding": "6.6.74", "versionStartIncluding": "6.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E", "versionEndExcluding": "6.12.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/bpf: return early if transport is not assigned\n\nSome of the core functions can only be called if the transport\nhas been assigned.\n\nAs Michal reported, a socket might have the transport at NULL,\nfor example after a failed connect(), causing the following trace:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+\n RIP: 0010:vsock_connectible_has_data+0x1f/0x40\n Call Trace:\n vsock_bpf_recvmsg+0xca/0x5e0\n sock_recvmsg+0xb9/0xc0\n __sys_recvfrom+0xb3/0x130\n __x64_sys_recvfrom+0x20/0x30\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSo we need to check the `vsk->transport` in vsock_bpf_recvmsg(),\nespecially for connected sockets (stream/seqpacket) as we already\ndo in __vsock_connectible_recvmsg()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vsock/bpf: retorno anticipado si el transporte no est\u00e1 asignado Algunas de las funciones principales solo se pueden llamar si el transporte ha sido asignado. Como inform\u00f3 Michal, un socket puede tener el transporte en NULL, por ejemplo despu\u00e9s de un connect() fallido, lo que provoca el siguiente seguimiento: ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 00000000000000a0 #PF: acceso de lectura de supervisor en modo n\u00facleo #PF: error_code(0x0000) - p\u00e1gina no presente PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out No contaminado 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Seguimiento de llamada: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Por lo tanto, debemos verificar `vsk->transport` en vsock_bpf_recvmsg(), especialmente para sockets conectados (stream/seqpacket) como ya lo hacemos en __vsock_connectible_recvmsg()."}], "id": "CVE-2025-21670", "lastModified": "2025-02-04T15:37:25.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-31T12:15:28.160", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/58e586c30d0b6f5dc0174a41026f2b0a48c9aab6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6771e1279dadf1d92a72e1465134257d9e6f2459"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6abafcd32f9cfc4b1a2f820ecea70773e26d423"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: vsock/bpf: return early if transport is not assigned", "id": "2343178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343178"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvsock/bpf: return early if transport is not assigned\nSome of the core functions can only be called if the transport\nhas been assigned.\nAs Michal reported, a socket might have the transport at NULL,\nfor example after a failed connect(), causing the following trace:\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+\nRIP: 0010:vsock_connectible_has_data+0x1f/0x40\nCall Trace:\nvsock_bpf_recvmsg+0xca/0x5e0\nsock_recvmsg+0xb9/0xc0\n__sys_recvfrom+0xb3/0x130\n__x64_sys_recvfrom+0x20/0x30\ndo_syscall_64+0x93/0x180\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nSo we need to check the `vsk->transport` in vsock_bpf_recvmsg(),\nespecially for connected sockets (stream/seqpacket) as we already\ndo in __vsock_connectible_recvmsg()."], "name": "CVE-2025-21670", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21670\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21670\nhttps://lore.kernel.org/linux-cve-announce/2025013159-CVE-2025-21670-5d52@gregkh/T"], "threat_severity": "Moderate"}