CVE-2025-40231

Vulnerability

CVE-2025-40231 describes a lock inversion deadlock in the Linux kernel's AF_VSOCK socket implementation. The issue was introduced in commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU"), which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call [1]. This function can be called with sk_lock held, and transport->release() may call vsock_linger(), which invokes sk_wait_event() that temporarily releases and re-acquires sk_lock [2]. If another thread holds vsock_register_mutex while trying to acquire sk_lock, a circular dependency (lock inversion) occurs [3].

Exploitation

An attacker with local access could trigger the deadlock by opening two concurrent VSOCK connections: one causing vsock_assign_transport() with sk_lock held, and another holding vsock_register_mutex while acquiring sk_lock. No special privileges beyond the ability to create AF_VSOCK sockets are required [1]. The vulnerability affects systems where the vsock transport is used (e.g., virtual machine guest-host communication).

Impact

Successful exploitation results in a denial of service (system hang) due to a deadlock that prevents progress of both threads involved [2]. The deadlock could also affect other operations that require vsock_register_mutex, such as transport registration or shutdown. The issue is limited to local denial of service; no privilege escalation or remote code execution has been described.

Mitigation

The Linux kernel stable series have released patches that fix the lock inversion by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(), while obtaining a module reference via try_module_get() to ensure the new transport remains valid [4]. All kernels including the vulnerable commit and not yet patched are affected. Users should apply the available updates from their distribution or the mainline kernel.