Overview
CVE-2025-40214 describes a vulnerability within the Linux kernel’s AF_UNIX socket implementation. This flaw could lead to a scenario where the garbage collection (GC) process incorrectly identifies and collects a receive queue belonging to an active, in-flight socket. This improper garbage collection can lead to unpredictable system behavior and potential instability. This article provides a detailed analysis of the vulnerability, its potential impact, and the mitigation implemented in the Linux kernel.
Technical Details
The vulnerability stems from the fact that the scc_index field within the unix_vertex structure was not initialized in the unix_add_edge() function. This oversight, as reported by Quang Le, could be exploited through a specific sequence of socket operations designed to manipulate the AF_UNIX graph and trigger the garbage collection process.
The exploit consists of three stages:
-
Cyclic Reference and GC Trigger:
- Create multiple sockets forming a cyclic reference.
- Close all the created sockets.
- Trigger the garbage collection process.
-
Embryo Socket and Self-Reference:
- Pass a socket (sk-A) to an embryo socket (sk-B).
- Create a self-referential link (sk-X -> sk-X).
- Trigger garbage collection.
-
In-Flight Socket and GC Mishandling:
accept()the embryo socket (sk-B).- Pass sk-B to sk-C.
- Close an in-flight socket (sk-A).
- Trigger garbage collection.
The uninitialized scc_index combined with a heap spraying technique can lead to unix_vertex_dead() incorrectly identifying an alive socket as dead, triggering its premature garbage collection. The core issue lies in unix_add_edge() failing to initialize the scc_index field, resulting in a potentially stale value from a previous memory allocation.
CVSS Analysis
As of the current information, a CVSS score has not been assigned to CVE-2025-40214. The severity is currently marked as “N/A.” However, the potential for incorrect garbage collection of active sockets indicates a potential for denial-of-service or other unpredictable system behaviors. The impact would depend on the specific usage of AF_UNIX sockets in the affected system.
Possible Impact
The incorrect garbage collection of AF_UNIX sockets due to CVE-2025-40214 can lead to the following potential impacts:
- Denial-of-Service (DoS): Prematurely freeing socket resources can interrupt communication between processes, leading to service disruptions.
- System Instability: Incorrectly managing socket resources can destabilize the system, potentially leading to crashes.
- Application Errors: Applications relying on AF_UNIX sockets may experience unexpected errors or failures due to the premature closure of socket connections.
Mitigation and Patch Steps
The vulnerability is addressed by initializing the scc_index field in the unix_add_edge() function. The patch tracks the maximum SCC index from the previous unix_walk_scc() call and assigns the max + 1 to a new vertex’s scc_index. This ensures that new vertices are correctly assigned to different SCCs, preventing misjudgments by unix_vertex_dead(). Users are advised to update their Linux kernel to a version containing the fix. The fix has been backported to stable kernel branches.
Specifically, the fix involves the following:
diff --git a/net/unix/garbage.c b/net/unix/garbage.c index ... --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -331,6 +331,7 @@ static void unix_add_edge(struct sock *sk, struct sock *osk) vertex = unix_get_vertex(osk); if (!vertex) return; + vertex->scc_index = unix_scc_max_index + 1; if (!unix_vertex_add_edge(unx, vertex)) return;
