CVE-2025-21854: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21854 is a vulnerability discovered in the Linux kernel affecting the sockmap and vsock components. The vulnerability was disclosed on March 12, 2025, and involves a NULL pointer dereference issue in the socket mapping functionality. The vulnerability affects Linux kernel versions from 6.4 through 6.14-rc1, including versions 6.13 (up to 6.13.5), 6.7 through 6.12.17, and 6.4 through 6.6.80 (NVD).

The vulnerability stems from an edge case where an unconnected (connectible) socket may lose its previously assigned transport in the sockmap functionality. While this is handled with a NULL check in the vsock/BPF recv path, a design detail where listening vsocks are not supposed to have any transport assigned creates a complication. The issue occurs when a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. This results in a NULL pointer dereference, which can cause system crashes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a system crash through a NULL pointer dereference, specifically in the range [0x0000000000000120-0x0000000000000127]. This primarily affects system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by modifying the socket mapping behavior to only allow established connections for connectible sockets, aligning with the behavior for AFINET and AFUNIX. The fix has been implemented through patches in the Linux kernel, available in the stable tree (Kernel Patch).