{"id":"AZL-59043","summary":"CVE-2025-21731 affecting package kernel for versions less than 5.15.180.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don't allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n  nbd_genl_disconnect\n   nbd_disconnect_and_put\n    nbd_disconnect\n     flush_workqueue(nbd-\u003erecv_workq)\n    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n     nbd_config_put\n     -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n  nbd_genl_reconfigure\n   config = nbd_get_config_unlocked(nbd)\n   if (!config)\n   -\u003e succeed\n   if (!test_bit(NBD_RT_BOUND, ...))\n   -\u003e succeed\n   nbd_reconnect_socket\n    queue_work(nbd-\u003erecv_workq, &args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n  recv_work\n   nbd_config_put(nbd)\n   -\u003e nbd_config is freed\n   atomic_dec(&config-\u003erecv_threads)\n   -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.","modified":"2026-04-01T05:19:23.991064Z","published":"2025-02-27T02:15:16Z","upstream":["CVE-2025-21731"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21731"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.180.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-59043.json"}}],"schema_version":"1.7.5"}