CVE-2025-22109
📋 TL;DR
This CVE describes a memory leak and refcount leak vulnerability in the Linux kernel's AX.25 protocol implementation when using the autobind feature. The vulnerability allows attackers to cause kernel memory exhaustion or trigger kernel warnings, potentially leading to denial of service. It affects Linux systems using AX.25 networking, primarily amateur radio applications.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory exhaustion leading to system instability or crash, potentially enabling denial of service attacks against affected systems.
Likely Case
Memory leaks causing gradual performance degradation and kernel warning messages in system logs, with possible system instability over time.
If Mitigated
Minimal impact if AX.25 protocol is not used or autobind feature is avoided; systems would operate normally without exploitation.
🎯 Exploit Status
Exploitation requires local access or ability to trigger AX.25 socket operations. Found by fuzzing with Syzkaller.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 2f6efbabceb6b2914ee9bafb86d9a51feae9cce8 and 61203fdd3e35519db9a98b6ff8983c620ffc4696
Vendor Advisory: https://git.kernel.org/stable/c/2f6efbabceb6b2914ee9bafb86d9a51feae9cce8
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable AX.25 module
linuxRemove or blacklist AX.25 kernel module if not needed
echo 'blacklist ax25' >> /etc/modprobe.d/blacklist.conf
rmmod ax25
Avoid autobind usage
linuxEnsure applications don't use AX.25 socket autobind feature
🧯 If You Can't Patch
- Disable AX.25 protocol support in kernel configuration if not required
- Monitor system logs for refcount warnings and memory leak indicators
🔍 How to Verify
Check if Vulnerable:
Check if AX.25 module is loaded: lsmod | grep ax25. If loaded and kernel version is before fix commits, system may be vulnerable.Check Version:
uname -rVerify Fix Applied:
Check kernel version includes fix commits: uname -r and verify with distribution's security advisory. Confirm AX.25 module loads without issues.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing 'refcount_t: decrement hit 0; leaking memory'
- 'ax25_connect(): uses autobind' messages
- kmemleak reports for AX.25 objects
Network Indicators:
- Unusual AX.25 socket creation patterns
- Multiple failed AX.25 connection attempts
SIEM Query:
source="kernel" AND ("refcount_t" OR "ax25_connect" OR "autobind")