Cyber Resilience

CVE-2025-21731

High

Published: 27 February 2025

Published
27 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21731 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-21731 is a Use-After-Free (UAF) vulnerability (CWE-416) in the Linux kernel's Network Block Device (NBD) module. It arises from a race condition in the netlink interface handling disconnect and reconnect operations. Specifically, a process can temporarily hold a reference to the nbd_config structure, trigger nbd_genl_disconnect() which flushes recv_workqueue tasks and partially releases the reference without dropping it to zero, then invoke nbd_genl_reconfigure() to queue new recv_work tasks on the now-inconsistent config, and finally release the held reference. This leads to recv_work accessing the freed nbd_config, including atomic operations on its recv_threads counter. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. By orchestrating the described race—holding a temporary nbd_config reference, disconnecting via nbd_genl_disconnect, reconfiguring via nbd_genl_reconfigure to queue recv_work, and then releasing the reference—the attacker triggers the UAF. Successful exploitation could allow arbitrary code execution, data corruption, or system crashes, with high impacts on confidentiality, integrity, and availability.

Mitigation is provided through kernel patches available in stable trees, as detailed in the referenced commits. The fix modifies nbd_genl_disconnect to clear the NBD_RT_BOUND flag, ensuring that subsequent nbd_genl_reconfigure calls fail after a disconnect and preventing the queuing of recv_work on a potentially freed config. Security practitioners should apply these patches to affected Linux kernels supporting the NBD module.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq)…

more

if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in Linux kernel NBD module allows low-privileged attacker to trigger arbitrary code execution via race condition in netlink disconnect/reconfigure, directly enabling privilege escalation to root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.12 — 5.4.291 · 5.5 — 5.10.235 · 5.11 — 5.15.179

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of kernel patches directly remediates the UAF flaw in the NBD module caused by the disconnect-reconnect race condition.

prevent

Kernel memory protection mechanisms like address space layout randomization and stack canaries mitigate exploitation of the UAF even on unpatched systems.

prevent

Restricting or prohibiting non-essential kernel modules like NBD reduces the attack surface for this local privilege escalation vulnerability.

References