{"id":"ASB-A-396331793","details":"In multiple functions of af_vsock.c, there is a possible way to cause a use after free due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-396331793","CVE-2025-21756"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2025-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-09-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/9241eb16e35eb5fb700caf060ff0efb0e0a0fcd7"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/50854473806ad532c32bdf23327823b860670849"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/537268adf4cdb2b5ec905c01ffa919a71556ffa8"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/e2647b0fb4204838e32275f85859b029dc9f36b4"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/7f11cc02d9eeec5c0eca76ddfa5f5f1c3c6688f2"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/cd0ebcd1757913ed6232b90203f586cd4b59de42"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2025-09-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/9241eb16e35eb5fb700caf060ff0efb0e0a0fcd7","https://android.googlesource.com/kernel/common/+/50854473806ad532c32bdf23327823b860670849","https://android.googlesource.com/kernel/common/+/537268adf4cdb2b5ec905c01ffa919a71556ffa8","https://android.googlesource.com/kernel/common/+/e2647b0fb4204838e32275f85859b029dc9f36b4","https://android.googlesource.com/kernel/common/+/7f11cc02d9eeec5c0eca76ddfa5f5f1c3c6688f2","https://android.googlesource.com/kernel/common/+/cd0ebcd1757913ed6232b90203f586cd4b59de42"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"id":"ASB-A-396331793-00fb50b2","digest":{"line_hashes":["216031250881535994547217481730219102762","90555138792096488986296963783855082302","98018131091013516664770668311754345692","242604298144200656347328455021384900968","323442038042609965760726624131774774046","315724195452782696640481136568126420521","218859128747834444097518954983112248067","41974691450165411508088936030051107514","303135410341512832922987949011171567332","293447143716288087782998231756667726069","217372882858124409694692800924143448439","27001985859552970730294629122776046919"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/7f11cc02d9eeec5c0eca76ddfa5f5f1c3c6688f2","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-0e1f11d5","digest":{"length":534,"function_hash":"1199143035182268879967339865194876810"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/7f11cc02d9eeec5c0eca76ddfa5f5f1c3c6688f2","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-512a2b3d","digest":{"length":78,"function_hash":"56771322495587552517050006786434802306"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/50854473806ad532c32bdf23327823b860670849","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"vsock_remove_sock"}},{"deprecated":false,"id":"ASB-A-396331793-5a2155a4","digest":{"length":133,"function_hash":"201901315493088586616214111401042328286"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/e2647b0fb4204838e32275f85859b029dc9f36b4","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-70e7774b","digest":{"line_hashes":["315846547144954437932558349803332645610","320060109348457990275876292068332149390","171113167129683175015413479739546363520","108308316375388446611909049605242978300","30522377330953224613483610200870480856","66635436580498319333909487219277994603","64008924649880362344851756048398435524","59795737601929499687007124819557276142","13844978785472152353820985718841496564","252440609494799904757554821555758005678","193578080547856560891172580259353551177","324817725186817950504563294076275753603","33149915624675340629758735699835723746","120597655316457347810288777397500665205","323442038042609965760726624131774774046","315724195452782696640481136568126420521","218859128747834444097518954983112248067","41974691450165411508088936030051107514","303135410341512832922987949011171567332","293447143716288087782998231756667726069","217372882858124409694692800924143448439","27001985859552970730294629122776046919","287720964837175276525043702928629401063","126764233531615465406813719486226524501","166886801417624102228996027314905634212","297418314889194643726517960987498017055","239702888451537020203833020087517190673","200086054474506847711024653193546314951","150079744505588801598444404005677194670","115453014194897095380714724382710475986","18384042746427778123554852254479757460","170486617078406887609615400554866883248","180425140671024262136987412792944849196","287898489819190686376446792580308510901","76625943974890976020616112015562727052","296793748086722370570244480090468778884","198941962025081482476280306437983375873"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/9241eb16e35eb5fb700caf060ff0efb0e0a0fcd7","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-88a64c05","digest":{"length":534,"function_hash":"126848679477018314214406474872698622072"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/cd0ebcd1757913ed6232b90203f586cd4b59de42","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-a05c8d50","digest":{"length":534,"function_hash":"1199143035182268879967339865194876810"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/50854473806ad532c32bdf23327823b860670849","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-b1678abd","digest":{"line_hashes":["102499741651576453360814942821556486985","320060109348457990275876292068332149390","171113167129683175015413479739546363520","108308316375388446611909049605242978300","30522377330953224613483610200870480856","66635436580498319333909487219277994603","64008924649880362344851756048398435524","59795737601929499687007124819557276142","13844978785472152353820985718841496564","252440609494799904757554821555758005678","193578080547856560891172580259353551177","324817725186817950504563294076275753603","33149915624675340629758735699835723746","120597655316457347810288777397500665205","323442038042609965760726624131774774046","315724195452782696640481136568126420521","218859128747834444097518954983112248067","41974691450165411508088936030051107514","303135410341512832922987949011171567332","293447143716288087782998231756667726069","217372882858124409694692800924143448439","27001985859552970730294629122776046919","287720964837175276525043702928629401063","126764233531615465406813719486226524501","166886801417624102228996027314905634212","297418314889194643726517960987498017055","239702888451537020203833020087517190673","200086054474506847711024653193546314951","150079744505588801598444404005677194670","115453014194897095380714724382710475986","18384042746427778123554852254479757460","307589405962469792007071366795593608290","44162471054656546597034867723791245178","217697617222064585803148815690387737198","76625943974890976020616112015562727052","296793748086722370570244480090468778884","198941962025081482476280306437983375873"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/e2647b0fb4204838e32275f85859b029dc9f36b4","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-b3395248","digest":{"length":551,"function_hash":"112974489303941346190185582742426375129"},"signature_version":"v1","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"},"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/9241eb16e35eb5fb700caf060ff0efb0e0a0fcd7"},{"deprecated":false,"id":"ASB-A-396331793-c3984523","digest":{"length":133,"function_hash":"201901315493088586616214111401042328286"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/9241eb16e35eb5fb700caf060ff0efb0e0a0fcd7","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-c6aa4fec","digest":{"line_hashes":["60039586786278024433281876996342139717","118989826412430198957746093014059497328","216025663100643257532460380560852792546","308943728128160566691829774389250289941","41974691450165411508088936030051107514","130686715660741360316831533967041962482","237461933337707594619662446597172187049","307165715887453148253448425334092949562"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/cd0ebcd1757913ed6232b90203f586cd4b59de42","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-d37c9581","digest":{"length":534,"function_hash":"126848679477018314214406474872698622072"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/537268adf4cdb2b5ec905c01ffa919a71556ffa8","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"}},{"deprecated":false,"id":"ASB-A-396331793-d7467a74","digest":{"line_hashes":["60039586786278024433281876996342139717","118989826412430198957746093014059497328","216025663100643257532460380560852792546","308943728128160566691829774389250289941","41974691450165411508088936030051107514","130686715660741360316831533967041962482","237461933337707594619662446597172187049","307165715887453148253448425334092949562"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/537268adf4cdb2b5ec905c01ffa919a71556ffa8","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-dbe124d3","digest":{"length":78,"function_hash":"56771322495587552517050006786434802306"},"signature_version":"v1","target":{"file":"net/vmw_vsock/af_vsock.c","function":"vsock_remove_sock"},"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/7f11cc02d9eeec5c0eca76ddfa5f5f1c3c6688f2"},{"deprecated":false,"id":"ASB-A-396331793-f52c5b15","digest":{"line_hashes":["216031250881535994547217481730219102762","90555138792096488986296963783855082302","98018131091013516664770668311754345692","242604298144200656347328455021384900968","323442038042609965760726624131774774046","315724195452782696640481136568126420521","218859128747834444097518954983112248067","41974691450165411508088936030051107514","303135410341512832922987949011171567332","293447143716288087782998231756667726069","217372882858124409694692800924143448439","27001985859552970730294629122776046919"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/50854473806ad532c32bdf23327823b860670849","signature_type":"Line","target":{"file":"net/vmw_vsock/af_vsock.c"}},{"deprecated":false,"id":"ASB-A-396331793-fe956c39","digest":{"length":551,"function_hash":"112974489303941346190185582742426375129"},"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/e2647b0fb4204838e32275f85859b029dc9f36b4","signature_type":"Function","target":{"file":"net/vmw_vsock/af_vsock.c","function":"__vsock_release"}}],"spl":"2025-09-05","severity":"Moderate"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-396331793.json"}}],"schema_version":"1.7.5"}