Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-21756 PoC — vsock: Keep the binding until socket destruction

Source
https://github.com/hoefler02/CVE-2025-21756
Associated Vulnerability
Title:vsock: Keep the binding until socket destruction (CVE-2025-21756)
Description:In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Description
Exploit for CVE-2025-21756 for Linux kernel 6.6.75. My first linux kernel exploit!
File Snapshot

 [4.0K]  /data/pocs/2ad6f361e5dd47030ae6f2e5cd695d284d0a76fb
├── [ 170]  compress.sh
├── [1.7K]  extract-image.sh
├── [  14]  flag.txt
├── [4.0K]  initramfs
│   ├── [4.0K]  bin
│   │   ├── [1.0M]  busybox
│   │   └── [   7]  sh -> busybox
│   ├── [4.0K]  etc
│   │   ├── [4.0K]  init.d
│   │   │   └── [ 410]  rcS
│   │   ├── [  85]  inittab
│   │   ├── [  23]  motd
│   │   └── [  13]  resolv.conf -> /proc/net/pnp
│   ├── [  11]  init -> bin/busybox
│   ├── [  10]  sbin -> ./usr/sbin
│   ├── [4.0K]  usr
│   │   ├── [   6]  bin -> ../bin
│   │   └── [4.0K]  sbin
│   │       ├── [  17]  addgroup -> ../../bin/busybox
│   │       ├── [  17]  add-shell -> ../../bin/busybox
│   │       ├── [  17]  adduser -> ../../bin/busybox
│   │       ├── [  17]  arping -> ../../bin/busybox
│   │       ├── [  17]  brctl -> ../../bin/busybox
│   │       ├── [  17]  chat -> ../../bin/busybox
│   │       ├── [  17]  chpasswd -> ../../bin/busybox
│   │       ├── [  17]  chroot -> ../../bin/busybox
│   │       ├── [  17]  crond -> ../../bin/busybox
│   │       ├── [  17]  delgroup -> ../../bin/busybox
│   │       ├── [  17]  deluser -> ../../bin/busybox
│   │       ├── [  17]  dhcprelay -> ../../bin/busybox
│   │       ├── [  17]  dnsd -> ../../bin/busybox
│   │       ├── [  17]  ether-wake -> ../../bin/busybox
│   │       ├── [  17]  fakeidentd -> ../../bin/busybox
│   │       ├── [  17]  fbset -> ../../bin/busybox
│   │       ├── [  17]  fdformat -> ../../bin/busybox
│   │       ├── [  17]  fsfreeze -> ../../bin/busybox
│   │       ├── [  17]  ftpd -> ../../bin/busybox
│   │       ├── [  17]  httpd -> ../../bin/busybox
│   │       ├── [  17]  i2cdetect -> ../../bin/busybox
│   │       ├── [  17]  i2cdump -> ../../bin/busybox
│   │       ├── [  17]  i2cget -> ../../bin/busybox
│   │       ├── [  17]  i2cset -> ../../bin/busybox
│   │       ├── [  17]  i2ctransfer -> ../../bin/busybox
│   │       ├── [  17]  ifplugd -> ../../bin/busybox
│   │       ├── [  17]  inetd -> ../../bin/busybox
│   │       ├── [  17]  killall5 -> ../../bin/busybox
│   │       ├── [  17]  loadfont -> ../../bin/busybox
│   │       ├── [  17]  lpd -> ../../bin/busybox
│   │       ├── [  17]  mim -> ../../bin/busybox
│   │       ├── [  17]  nanddump -> ../../bin/busybox
│   │       ├── [  17]  nandwrite -> ../../bin/busybox
│   │       ├── [  17]  nbd-client -> ../../bin/busybox
│   │       ├── [  17]  nologin -> ../../bin/busybox
│   │       ├── [  17]  ntpd -> ../../bin/busybox
│   │       ├── [  17]  partprobe -> ../../bin/busybox
│   │       ├── [  17]  popmaildir -> ../../bin/busybox
│   │       ├── [  17]  powertop -> ../../bin/busybox
│   │       ├── [  17]  rdate -> ../../bin/busybox
│   │       ├── [  17]  rdev -> ../../bin/busybox
│   │       ├── [  17]  readahead -> ../../bin/busybox
│   │       ├── [  17]  readprofile -> ../../bin/busybox
│   │       ├── [  17]  remove-shell -> ../../bin/busybox
│   │       ├── [  17]  rtcwake -> ../../bin/busybox
│   │       ├── [  17]  seedrng -> ../../bin/busybox
│   │       ├── [  17]  sendmail -> ../../bin/busybox
│   │       ├── [  17]  setfont -> ../../bin/busybox
│   │       ├── [  17]  setlogcons -> ../../bin/busybox
│   │       ├── [  17]  svlogd -> ../../bin/busybox
│   │       ├── [  17]  telnetd -> ../../bin/busybox
│   │       ├── [  17]  tftpd -> ../../bin/busybox
│   │       ├── [  17]  ubiattach -> ../../bin/busybox
│   │       ├── [  17]  ubidetach -> ../../bin/busybox
│   │       ├── [  17]  ubimkvol -> ../../bin/busybox
│   │       ├── [  17]  ubirename -> ../../bin/busybox
│   │       ├── [  17]  ubirmvol -> ../../bin/busybox
│   │       ├── [  17]  ubirsvol -> ../../bin/busybox
│   │       ├── [  17]  ubiupdatevol -> ../../bin/busybox
│   │       └── [  17]  udhcpd -> ../../bin/busybox
│   └── [764K]  x
├── [116K]  lts-6.6.75.config
├── [219K]  pwned.gif
├── [ 288]  readme.md
├── [ 323]  run.sh
└── [9.6K]  x.c

8 directories, 76 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →