CVE-2025-68372
Description
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's NBD driver occurs when recv_work releases the config reference before thread tracking is cleared, enabling privilege escalation.
Root
Cause
A use-after-free (UAF) vulnerability exists in the Linux kernel's Network Block Device (NBD) driver. The issue is in the recv_work function, where nbd_config_put() is called before atomic_dec(&config->recv_threads), allowing the configuration to be freed while still being accessed. A previous fix (commit 87aac3a80af5) moved the config put before waking up the waiter, but this created a race condition when NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE operations interleave [1][2].
Attack
Vector
An attacker with local access and sufficient privileges to issue NBD netlink commands can trigger the race. The exploit flows involve starting an NBD device, establishing a connection, then quickly performing NBD_CLEAR_SOCK and/or NBD_CMD_RECONFIGURE while a recv_work worker is running. When the reference count drops to zero before recv_threads is decremented, the freed config is accessed, causing a UAF [3].
Impact
Successful exploitation could lead to a denial of service (system crash) or potentially privilege escalation, as the UAF corrupts kernel memory. The flaw affects all kernels containing the problematic commit (introducted in v5.10-rc1 and later).
Mitigation
Patches are available in the stable kernel trees [1][2][3]. The fix moves nbd_config_put() to the end of recv_work, ensuring the reference is held for the entire lifetime of the worker thread, preventing the race. Users should update to patched kernel versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/198aa230a6f8c1f6af7ed26b29180749c3e79e4dnvd
- git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509nvd
- git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1nvd
- git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622fnvd
- git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6nvd
- git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01nvd
- git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86dnvd
- git.kernel.org/stable/c/d3ba312675911ff9e3fefefd551751e153a9f0a9nvd
News mentions
0No linked articles in our index yet.