{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-40214", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.179Z", "datePublished": "2025-12-04T12:38:31.601Z", "dateUpdated": "2026-06-12T08:31:42.408Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-12T08:31:42.408Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n 1)\n 1-a. Create a single cyclic reference with many sockets\n 1-b. close() all sockets\n 1-c. Trigger GC\n\n 2)\n 2-a. Pass sk-A to an embryo sk-B\n 2-b. Pass sk-X to sk-X\n 2-c. Trigger GC\n\n 3)\n 3-a. accept() the embryo sk-B\n 3-b. Pass sk-B to sk-C\n 3-c. close() the in-flight sk-A\n 3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\n unix_sk(sk-X)->vertex->scc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B's listener and sk-C are not in-flight.\n\n3-c decrements sk-A's file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n sk-A -> sk-B (-> sk-C)\n sk-X -> sk-X\n\nThis is totally fine. All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\n &&\n sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\n ^-- 1 in-flight count for sk-B\n -> sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet's track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex's scc_index.\n\nThis way, we can continue to avoid Tarjan's algorithm while\npreventing misjudgments." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/unix/garbage.c" ], "versions": [ { "version": "adfb68b39b39767d6bfb53e48c4f19c183765686", "lessThan": "20003fbb9174121b27bd1da6ebe61542ac4c327d", "status": "affected", "versionType": "git" }, { "version": "d23802221f6755e104606864067c71af8cdb6788", "lessThan": "4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3", "status": "affected", "versionType": "git" }, { "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce", "lessThan": "db81ad20fd8aef7cc7d536c52ee5ea4c1f979128", "status": "affected", "versionType": "git" }, { "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce", "lessThan": "1aa7e40ee850c9053e769957ce6541173891204d", "status": "affected", "versionType": "git" }, { "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce", "lessThan": "60e6489f8e3b086bd1130ad4450a2c112e863791", "status": "affected", "versionType": "git" }, { "version": "6.1.141", "lessThan": "6.1.159", "status": "affected", "versionType": "semver" }, { "version": "6.6.93", "lessThan": "6.6.117", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/unix/garbage.c" ], "versions": [ { "version": "6.10", "status": "affected" }, { "version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.159", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.117", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.59", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.17.9", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.141", "versionEndExcluding": "6.1.159" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.93", "versionEndExcluding": "6.6.117" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.59" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.17.9" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d" }, { "url": "https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3" }, { "url": "https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128" }, { "url": "https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d" }, { "url": "https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791" }, { "url": "https://mohandacherir.github.io/Qdiv7/posts/unix_new_gc/" } ], "title": "af_unix: Initialise scc_index in unix_add_edge().", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "x_adpType": "supplier", "providerMetadata": { "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-06-02T12:59:56.598Z" }, "affected": [ { "vendor": "Siemens", "product": "RUGGEDCOM RST2428P", "versions": [ { "status": "affected", "version": "0", "lessThan": "V4.0", "versionType": "custom" } ], "defaultStatus": "unknown" } ], "references": [ { "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" } ] } ] } }