Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-68372— nbd: defer config put in recv_work

EPSS 0.07% · P21
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-68372

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
nbd: defer config put in recv_work
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于recv_work中配置释放时机不当,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ~ 198aa230a6f8c1f6af7ed26b29180749c3e79e4d -
LinuxLinux 5.10 -

II. Public POCs for CVE-2025-68372

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-68372

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-12-24 · 322 CVEs total

CVE-2022-50755udf: Avoid double brelse() in udf_rename()
CVE-2022-50765RISC-V: kexec: Fix memory leak of elf header buffer
CVE-2022-50764ipv6/sit: use DEV_STATS_INC() to avoid data-races
CVE-2022-50763crypto: marvell/octeontx - prevent integer overflows
CVE-2022-50762fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()
CVE-2022-50760drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
CVE-2022-50761x86/xen: Fix memory leak in xen_init_lock_cpu()
CVE-2022-50759media: i2c: ov5648: Free V4L2 fwnode data on unbind
CVE-2022-50758staging: vt6655: fix potential memory leak
CVE-2022-50756nvme-pci: fix mempool alloc size
CVE-2022-50757media: camss: Clean up received buffers on failed start of streaming
CVE-2022-50749acct: fix potential integer overflow in encode_comp_t()
CVE-2022-50746erofs: validate the extent length for uncompressed pclusters
CVE-2022-50747hfs: Fix OOB Write in hfs_asc2mac
CVE-2022-50748ipc: mqueue: fix possible memory leak in init_mqueue_fs()
CVE-2022-50750drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
CVE-2022-50752md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
CVE-2022-50753f2fs: fix to do sanity check on summary info
CVE-2022-50754apparmor: fix a memleak in multi_transaction_new()
CVE-2022-50766btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer

Showing top 20 of 322 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-68372

No comments yet

Leave a comment