HOMEVULNERABILITIESCVE-2025-21756
UNKNOWNCISA KEVIN THE WILD

CVE-2025-21756

Published: April 11, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit

bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a

use-after-free:

1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)

2. transport->release() calls vsock_remove_bound() without checking if

sk was bound and moved to bound list (refcnt=1)

3. vsock_bind() assumes sk is in unbound list and before

__vsock_insert_bound(vsock_bound_sockets()) calls

__vsock_remove_bound() which does:

list_del_init(&vsk->bound_table); // nop

sock_put(&vsk->sk); // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730

Read of size 4 at addr ffff88816b46a74c by task a.out/2057

dump_stack_lvl+0x68/0x90

print_report+0x174/0x4f6

kasan_report+0xb9/0x190

__vsock_bind+0x62e/0x730

vsock_bind+0x97/0xe0

__sys_bind+0x154/0x1f0

__x64_sys_bind+0x6e/0xb0

do_syscall_64+0x93/0x1b0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:

kasan_save_stack+0x1e/0x40

kasan_save_track+0x10/0x30

__kasan_slab_alloc+0x85/0x90

kmem_cache_alloc_noprof+0x131/0x450

sk_prot_alloc+0x5b/0x220

sk_alloc+0x2c/0x870

__vsock_create.constprop.0+0x2e/0xb60

vsock_create+0xe4/0x420

__sock_create+0x241/0x650

__sys_socket+0xf2/0x1a0

__x64_sys_socket+0x6e/0xb0

do_syscall_64+0x93/0x1b0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:

kasan_save_stack+0x1e/0x40

kasan_save_track+0x10/0x30

kasan_save_free_info+0x37/0x60

__kasan_slab_free+0x4b/0x70

kmem_cache_free+0x1a1/0x590

__sk_destruct+0x388/0x5a0

__vsock_bind+0x5e1/0x730

vsock_bind+0x97/0xe0

__sys_bind+0x154/0x1f0

__x64_sys_bind+0x6e/0xb0

do_syscall_64+0x93/0x1b0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.

WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150

RIP: 0010:refcount_warn_saturate+0xce/0x150

__vsock_bind+0x66d/0x730

vsock_bind+0x97/0xe0

__sys_bind+0x154/0x1f0

__x64_sys_bind+0x6e/0xb0

do_syscall_64+0x93/0x1b0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.

WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150

RIP: 0010:refcount_warn_saturate+0xee/0x150

vsock_remove_bound+0x187/0x1e0

__vsock_release+0x383/0x4a0

vsock_release+0x90/0x120

__sock_release+0xa3/0x250

sock_close+0x14/0x20

__fput+0x359/0xa80

task_work_run+0x107/0x1d0

do_exit+0x847/0x2560

do_group_exit+0xb8/0x250

__x64_sys_exit_group+0x3a/0x50

x64_sys_call+0xfec/0x14f0

do_syscall_64+0x93/0x1b0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

NVD Source

Technical Analysis

CVE-2025-21756 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-21756 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Quick Facts

CVE IDCVE-2025-21756
Severity
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
PublishedApr 11, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-21756 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.