VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2025-68366

CVE-2025-68366

Description

In the Linux kernel, the following vulnerability has been resolved:

nbd: defer config unlock in nbd_genl_connect

There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK:

nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf

------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790

The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect():

mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); }

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's NBD driver during concurrent NBD_CMD_CONNECT and NBD_CLEAR_SOCK operations, leading to potential memory corruption.

Vulnerability

Description

A use-after-free vulnerability exists in the Linux kernel's Network Block Device (NBD) driver when processing NBD_CMD_CONNECT and NBD_CLEAR_SOCK commands concurrently. The root cause is that nbd_genl_connect releases the config_lock mutex before incrementing the config_refs reference count via refcount_inc. This makes the reference count susceptible to a race condition where an NBD device's configuration can be freed before the reference is safely incremented, causing a use-after-free on the nbd structure [1].

Attack

Scenario

Exploitation requires an unprivileged user or process to send a crafted sequence of Netlink messages: first, an NBD_CMD_CONNECT request that triggers device startup and increments the config reference count, and then, during the race window, an NBD_CLEAR_SOCK and NBD_CLEAR_SOCK to tear down the device and decrement the reference count to zero. If the timing is correct, the subsequent refcount_inc in nbd_genl_connect will operate on freed memory [2]. The race window can be artificially widened (e.g., by adding a delay in the code, as demonstrated in the bug report) making the race reliably exploitable.

Impact

A successful attack results in a use-after-free condition on kernel memory, which can lead to system crash (denial of service) or, given the right heap layout, arbitrary code execution with kernel privileges. The vulnerability has a CVSS v3.1 base score of 7.8 (High) because it requires local access but no authentication and can be triggered with low privileges [1][2].

Mitigation

The fix (commit 9a3830664387 in the Linux kernel stable tree [1]) ensures that config_unlock is deferred until after the refcount_inc and reply transmission in nbd_genl_connect, eliminating the race window. Users are advised to update their Linux kernel to a version containing this patch. No workaround is available other than applying the kernel update.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.