{"id":"CVE-2025-21731","summary":"nbd: don't allow reconnect after disconnect","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don't allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n  nbd_genl_disconnect\n   nbd_disconnect_and_put\n    nbd_disconnect\n     flush_workqueue(nbd-\u003erecv_workq)\n    if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n     nbd_config_put\n     -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n  nbd_genl_reconfigure\n   config = nbd_get_config_unlocked(nbd)\n   if (!config)\n   -\u003e succeed\n   if (!test_bit(NBD_RT_BOUND, ...))\n   -\u003e succeed\n   nbd_reconnect_socket\n    queue_work(nbd-\u003erecv_workq, &args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n  recv_work\n   nbd_config_put(nbd)\n   -\u003e nbd_config is freed\n   atomic_dec(&config-\u003erecv_threads)\n   -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.","modified":"2026-04-02T12:45:12.179665Z","published":"2025-02-27T02:07:35.927Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:02846-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21731.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6bef6222a3f6c7adb6396f77f25a3579d821b09a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/844b8cdc681612ff24df62cdefddeab5772fadf1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d208d2c52b652913b5eefc8ca434b0d6b757f68f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3be8862d73cac833e0fb7602636c19c6cb94b11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e70a578487a47d7cf058904141e586684d1c3381"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7343fa33751cb07c1c56b666bf37cfca357130e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21731.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21731"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b7aa3d39385dc2d95899f9e379623fef446a2acd"},{"fixed":"e70a578487a47d7cf058904141e586684d1c3381"},{"fixed":"6bef6222a3f6c7adb6396f77f25a3579d821b09a"},{"fixed":"e3be8862d73cac833e0fb7602636c19c6cb94b11"},{"fixed":"e7343fa33751cb07c1c56b666bf37cfca357130e"},{"fixed":"d208d2c52b652913b5eefc8ca434b0d6b757f68f"},{"fixed":"a8ee6ecde2b7bfb58c8a3afe8a9d2b848f580739"},{"fixed":"9793bd5ae4bdbdb2dde401a3cab94a6bfd05e302"},{"fixed":"844b8cdc681612ff24df62cdefddeab5772fadf1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21731.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}