Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-40248

Опубликовано: 04 дек. 2025
Источник: redhat
CVSS3: 7
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues:

  1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated vvs->bytes_unsent. Which, in turn, confuses the SOCK_LINGER handling.
  2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs.
  3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/

    A flaw was found in the Linux kernel's vsock component. This vulnerability occurs when a connect() operation on an already established socket is interrupted by a signal or timeout, causing the system to mishandle the socket's state. This incorrect handling can lead to a race condition, potentially resulting in memory corruption, such as a use-after-free or null-pointer dereference. A local attacker could exploit this to cause a denial of service or potentially escalate privileges.

Отчет

This vulnerability is rated Important for Red Hat Enterprise Linux 7, 8, 9, and 10. A flaw in the Linux kernel's vsock component allows a local attacker to cause memory corruption, potentially leading to a denial of service or privilege escalation. This occurs when a connect() operation on an established socket is interrupted by a signal or timeout, leading to an incorrect handling of the socket's state.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6kernelNot affected
Red Hat Enterprise Linux 9kernel-rtAffected
Red Hat Enterprise Linux 10kernelFixedRHSA-2026:169002.02.2026
Red Hat Enterprise Linux 10.0 Extended Update SupportkernelFixedRHSA-2026:172702.02.2026
Red Hat Enterprise Linux 7 Extended Lifecycle Supportkernel-rtFixedRHSA-2026:162302.02.2026
Red Hat Enterprise Linux 7 Extended Lifecycle SupportkernelFixedRHSA-2026:158129.01.2026
Red Hat Enterprise Linux 8kernel-rtFixedRHSA-2026:114826.01.2026
Red Hat Enterprise Linux 8kernelFixedRHSA-2026:114226.01.2026
Red Hat Enterprise Linux 8kpatch-patchFixedRHSA-2026:384805.03.2026
Red Hat Enterprise Linux 8.2 Advanced Update SupportkernelFixedRHSA-2026:151228.01.2026

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-364
https://bugzilla.redhat.com/show_bug.cgi?id=2418872kernel: Linux kernel: vsock vulnerability may lead to memory corruption

EPSS

Процентиль: 16%
0.00053
Низкий

7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-40248

ubuntu
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logi...

nvd логотип

CVE-2025-40248

nvd
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on si

msrc логотип

CVE-2025-40248

CVSS3: 6.3
msrc
4 месяца назад

vsock: Ignore signal/timeout on connect() if already established

debian логотип

CVE-2025-40248

debian
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: v ...

github логотип

GHSA-j4rg-4m7w-4hr3

github
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on...

EPSS

Процентиль: 16%
0.00053
Низкий

7 High

CVSS3