A recent demonstration by security researchers showcased the potential creation of a functioning exploit for a vulnerability known as CVE-2025-21756. This vulnerability stems from an error in the Linux kernel, specifically involving the handling of memory after its release. The issue impacts the implementation of sockets within the after_vsock framework, which is designed for network communication between guest systems and hosts. The exploit published as part of the demonstration allows for the execution of root code on systems running the Linux 6.6.75 kernel; however, adjustments to the exploit are necessary for use on other kernel versions.
The vulnerability has since been addressed in Linux kernel version 6.14 and through updates released in February and March for stable branches like 12.12.16, 6.6.79, and 6.1.131. Fixes for the vulnerability have also been implemented in core packages for RHEL, SUSE/OpenSUSE, Ubuntu, and Debian 12. However, the issue remains unresolved in Debian 11.
The vulnerability arises from a scenario where the transport is reassigned to an AF_VSOCK socket, prompting the execution of the VSOCK_REMOVE_SOCK functions that, in turn, trigger the VSOCK_REMOVE_BUND function. Unfortunately, this process incorrectly decreases the references to the VSOCK object, causing the reference counter to reach zero. Consequently,