CVE-2025-21731

CVE-2025-21731 is a Use-After-Free (UAF) vulnerability (CWE-416) in the Linux kernel's Network Block Device (NBD) module. It arises from a race condition in the netlink interface handling disconnect and reconnect operations. Specifically, a process can temporarily hold a reference to the nbd_config structure, trigger nbd_genl_disconnect() which flushes recv_workqueue tasks and partially releases the reference without dropping it to zero, then invoke nbd_genl_reconfigure() to queue new recv_work tasks on the now-inconsistent config, and finally release the held reference. This leads to recv_work accessing the freed nbd_config, including atomic operations on its recv_threads counter. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. By orchestrating the described race—holding a temporary nbd_config reference, disconnecting via nbd_genl_disconnect, reconfiguring via nbd_genl_reconfigure to queue recv_work, and then releasing the reference—the attacker triggers the UAF. Successful exploitation could allow arbitrary code execution, data corruption, or system crashes, with high impacts on confidentiality, integrity, and availability.

Mitigation is provided through kernel patches available in stable trees, as detailed in the referenced commits. The fix modifies nbd_genl_disconnect to clear the NBD_RT_BOUND flag, ensuring that subsequent nbd_genl_reconfigure calls fail after a disconnect and preventing the queuing of recv_work on a potentially freed config. Security practitioners should apply these patches to affected Linux kernels supporting the NBD module.