CVE-2025-40214
Description
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Initialise scc_index in unix_add_edge().
Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro.
The repro consists of three stages.
1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC
2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC
3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC
As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs:
unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3
Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC.
At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices.
unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight.
3-c decrements sk-A's file refcnt to 1.
Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X:
sk-A -> sk-B (-> sk-C) sk-X -> sk-X
This is totally fine. All of them are not yet close()d and should be grouped into different SCCs.
However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead.
unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !?
The problem is that unix_add_edge() does not initialise scc_index.
Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c.
Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index.
This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
58- osv-coords56 versionspkg:linux/kernelpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16-RT_Update_0&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16-RT_Update_1&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16-RT_Update_2&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16-RT_Update_3&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16_Update_0&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_0&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16_Update_1&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_1&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16_Update_2&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_2&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-livepatch-SLE16_Update_3&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-livepatch-SLE16_Update_3&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-obs-qa&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-obs-qa&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 6.1.159+ 55 more
- (no CPE)range: < 6.1.159
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6-160000.3.4
- (no CPE)range: < 5-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 2-160000.1.1
- (no CPE)range: < 8-160000.4.3
- (no CPE)range: < 8-160000.4.3
- (no CPE)range: < 8-160000.4.3
- (no CPE)range: < 6-160000.1.1
- (no CPE)range: < 6-160000.1.1
- (no CPE)range: < 6-160000.1.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 4-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 3-160000.1.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
Patches
Vulnerability mechanics
References
7- cert-portal.siemens.com/productcert/html/ssa-253495.htmlnvd
- git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204dnvd
- git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327dnvd
- git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3nvd
- git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791nvd
- git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128nvd
- mohandacherir.github.io/Qdiv7/posts/unix_new_gc/nvd
News mentions
0No linked articles in our index yet.