CVE-2025-21854
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's sockmap subsystem for vsock sockets could cause kernel crashes or denial of service. Attackers with local access can trigger this by manipulating vsock socket states, potentially leading to system instability. This affects Linux systems using vsock sockets with sockmap/BPF functionality.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting critical services.
Likely Case
Local denial of service through kernel crashes or system instability when vsock sockets are manipulated.
If Mitigated
Minimal impact if vsock/sockmap functionality is not used or proper access controls prevent local exploitation.
🎯 Exploit Status
Requires local access and ability to manipulate vsock socket states. Exploit would need to trigger the specific edge case described.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 22b683217ad2112791a708693cb236507abd637a, 8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f, cc9a7832ede53ade1ba9991f0e27314caa4029d8, f7b473e35986835cc2813fef7b9d40336a09247e
Vendor Advisory: https://git.kernel.org/stable/c/22b683217ad2112791a708693cb236507abd637a
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable vsock sockmap functionality
linuxPrevent use of sockmap with vsock sockets to avoid the vulnerable code path
echo 0 > /proc/sys/net/core/bpf_jit_enable
modprobe -r vsock_loopback vsock
Restrict vsock usage
linuxUse kernel module blacklisting to prevent vsock module loading
echo 'blacklist vsock' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist vsock_loopback' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local users from creating/manipulating vsock sockets
- Monitor system logs for kernel panic or crash events related to vsock/sockmap
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r. If version is <= 6.14.0-rc1 and vsock/sockmap is used, system may be vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version contains fix commits: grep -q '22b683217ad2112791a708693cb236507abd637a\|8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f\|cc9a7832ede53ade1ba9991f0e27314caa4029d8\|f7b473e35986835cc2813fef7b9d40336a09247e' /proc/version📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN: null-ptr-deref errors
- vsock_loopback_work stack traces in dmesg
Network Indicators:
- Unusual vsock socket creation patterns
SIEM Query:
source="kernel" AND ("KASAN: null-ptr-deref" OR "vsock_read_skb" OR "vsock_loopback_work")