CVE & CISA-KEV Catalog

CVE-2025-40214

UNSCORED

Description

In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.

How to fix

Remediation Available
linuxDebian
Fixed in:6.1.159-1CVE-2025-40214
Fixed in:6.12.63-1CVE-2025-40214
Fixed in:6.17.9-1CVE-2025-40214
awsUbuntu
Fixed in:5.4.0-1009LSN-0118-1
Fixed in:5.15.0-1000LSN-0118-1
Fixed in:6.8.0-1008LSN-0118-1
aws-5.15Ubuntu
Fixed in:5.15.0-1000LSN-0118-1
aws-6.8Ubuntu
Fixed in:6.8.0-1000LSN-0118-1
azureUbuntu
Fixed in:5.15.0-1000LSN-0118-1
Fixed in:6.8.0-1007LSN-0118-1
azure-5.15Ubuntu
Fixed in:5.15.0-1069LSN-0118-1
gcpUbuntu
Fixed in:5.15.0-1000LSN-0118-1
Fixed in:6.8.0-1007LSN-0118-1
gcp-5.15Ubuntu
Fixed in:5.15.0-1000LSN-0118-1
gcp-6.8Ubuntu
Fixed in:6.8.0-1000LSN-0118-1
generic-5.15Ubuntu
Fixed in:5.15.0-0LSN-0118-1
generic-5.4Ubuntu
Fixed in:5.4.0-150LSN-0118-1
Fixed in:5.4.0-26LSN-0118-1
gkeUbuntu
Fixed in:5.15.0-1000LSN-0118-1
ibmUbuntu
Fixed in:5.15.0-1000LSN-0118-1
Fixed in:6.8.0-1005LSN-0118-1
ibm-5.15Ubuntu
Fixed in:5.15.0-1000LSN-0118-1
ibm-6.8Ubuntu
Fixed in:6.8.0-1000LSN-0118-1
linuxUbuntu
Fixed in:5.15.0-71LSN-0118-1
Fixed in:6.8.0-1LSN-0118-1
Fixed in:6.17.0-1LSN-0118-1
Fixed in:6.17.0-12.12USN-8014-1
linux-awsUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-azureUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-gcpUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1005-realtimeUbuntu
Fixed in:6.17.0-1005.6USN-8014-1
linux-image-6.17.0-1006-awsUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1006-aws-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1006-gcpUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1006-gcp-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1006-oracleUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1006-oracle-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-6.17.0-1007-azureUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-6.17.0-1007-raspiUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-6.17.0-1010-oemUbuntu
Fixed in:6.17.0-1010.10USN-8014-1
linux-image-6.17.0-12-genericUbuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-6.17.0-12-generic-64kUbuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-awsUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-aws-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-aws-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-aws-64k-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-azureUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-azure-6.17Ubuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-gcpUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-gcp-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-gcp-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-gcp-64k-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-genericUbuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-generic-6.17Ubuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-generic-64kUbuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-generic-64k-6.17Ubuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-oem-24.04dUbuntu
Fixed in:6.17.0-1010.10USN-8014-1
linux-image-oem-6.17Ubuntu
Fixed in:6.17.0-1010.10USN-8014-1
linux-image-oracleUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-oracle-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-oracle-64kUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-oracle-64k-6.17Ubuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-image-raspiUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-raspi-6.17Ubuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-image-realtimeUbuntu
Fixed in:6.17.0-1005.6USN-8014-1
linux-image-realtime-6.17Ubuntu
Fixed in:6.17.0-1005.6USN-8014-1
linux-image-virtualUbuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-image-virtual-6.17Ubuntu
Fixed in:6.17.0-12.12USN-8014-1
linux-oem-6.17Ubuntu
Fixed in:6.17.0-1010.10USN-8014-1
linux-oracleUbuntu
Fixed in:6.17.0-1006.6USN-8014-1
linux-raspiUbuntu
Fixed in:6.17.0-1007.7USN-8014-1
linux-realtimeUbuntu
Fixed in:6.17.0-1005.6USN-8014-1
lowlatency-5.15Ubuntu
Fixed in:5.15.0-0LSN-0118-1
lowlatency-5.4Ubuntu
Fixed in:5.4.0-150LSN-0118-1
Fixed in:5.4.0-26LSN-0118-1
oracleUbuntu
Fixed in:5.15.0-1055LSN-0118-1
Fixed in:6.8.0-1005LSN-0118-1
oracle-5.15Ubuntu
Fixed in:5.15.0-1055LSN-0118-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3.1 Vector

No CVSS vector data available.

Exploit Intelligence

0.17%probability of exploitation in 30 days
7thpercentile

Low risk: more likely to be exploited than 7% of all known CVEs.

References

Embed a live status badge for CVE-2025-40214
CVE-2025-40214 severity badge

Markdown

[![CVE-2025-40214](https://tridentstack.com/cve/badge/CVE-2025-40214.svg)](https://tridentstack.com/cve/CVE-2025-40214)

HTML

<a href="https://tridentstack.com/cve/CVE-2025-40214"><img src="https://tridentstack.com/cve/badge/CVE-2025-40214.svg" alt="CVE-2025-40214"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-12.