CVE-2025-21731
Published: 27 February 2025
Summary
CVE-2025-21731 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-21731 is a Use-After-Free (UAF) vulnerability (CWE-416) in the Linux kernel's Network Block Device (NBD) module. It arises from a race condition in the netlink interface handling disconnect and reconnect operations. Specifically, a process can temporarily hold a reference to the nbd_config structure, trigger nbd_genl_disconnect() which flushes recv_workqueue tasks and partially releases the reference without dropping it to zero, then invoke nbd_genl_reconfigure() to queue new recv_work tasks on the now-inconsistent config, and finally release the held reference. This leads to recv_work accessing the freed nbd_config, including atomic operations on its recv_threads counter. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. By orchestrating the described race—holding a temporary nbd_config reference, disconnecting via nbd_genl_disconnect, reconfiguring via nbd_genl_reconfigure to queue recv_work, and then releasing the reference—the attacker triggers the UAF. Successful exploitation could allow arbitrary code execution, data corruption, or system crashes, with high impacts on confidentiality, integrity, and availability.
Mitigation is provided through kernel patches available in stable trees, as detailed in the referenced commits. The fix modifies nbd_genl_disconnect to clear the NBD_RT_BOUND flag, ensuring that subsequent nbd_genl_reconfigure calls fail after a disconnect and preventing the queuing of recv_work on a potentially freed config. Security practitioners should apply these patches to affected Linux kernels supporting the NBD module.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5235
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq)…
more
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in Linux kernel NBD module allows low-privileged attacker to trigger arbitrary code execution via race condition in netlink disconnect/reconfigure, directly enabling privilege escalation to root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of kernel patches directly remediates the UAF flaw in the NBD module caused by the disconnect-reconnect race condition.
Kernel memory protection mechanisms like address space layout randomization and stack canaries mitigate exploitation of the UAF even on unpatched systems.
Restricting or prohibiting non-essential kernel modules like NBD reduces the attack surface for this local privilege escalation vulnerability.