LiveActive security incident?Get immediate response
CVE Record

CVE-2025-40214: af_unix: Initialise scc_index in unix_add_edge().

In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw can make AF_UNIX socket garbage collection wrongly treat a live in-flight socket as dead. The public record confirms a kernel fix, but does not provide CVSS, CWE, or a clear impact statement. Treat exposure as kernel-version dependent until Linux distribution advisories map the upstream fixes to supported packages.

Executive priority

Set this for monitored remediation, not emergency response, unless your Linux vendor rates it higher for your environment. The missing CVSS and absent KEV listing lower confidence in urgency, but kernel issues still deserve timely patch planning.

Technical view

The bug is an uninitialized scc_index in unix_add_edge(). Under a multi-stage AF_UNIX socket reference pattern, stale SCC state can cause unix_vertex_dead() to misclassify live sockets during garbage collection. The kernel fix tracks the previous maximum SCC index and assigns a new index to newly allocated vertices.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions according to the CVE record. The bundle identifies Linux as the affected product, but distribution package status and appliance-specific exposure require vendor mapping.

Exploitation context

The source describes a researcher-provided reproducer, but KEV is false and no cited source in the bundle states active exploitation. The public description is technical but does not establish weaponized exploitation or business impact.

Researcher notes

The key condition is stale SCC indexing after unix_add_edge() allocates a new AF_UNIX graph vertex without initializing scc_index. The record names specific upstream stable commits, but the bundle does not state confidentiality, integrity, availability impact, or privilege requirements.

Mitigation direction

  • Check Linux vendor advisories for patched kernels containing the referenced stable commits.
  • Prioritize systems where untrusted local users or containers can exercise AF_UNIX sockets.
  • Update affected kernels through supported distribution channels when fixes are available.
  • For appliances, confirm exposure and remediation through the product vendor advisory.

Validation and detection

  • Inventory Linux kernel versions across servers, containers hosts, and appliances.
  • Map installed kernels to distribution advisories referencing CVE-2025-40214.
  • Confirm whether referenced upstream stable commits are included in deployed kernels.
  • Track Siemens advisory status if affected Siemens products are in scope.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-40214 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxadfb68b39b39767d6bfb53e48c4f19c183765686, d23802221f6755e104606864067c71af8cdb6788, ad081928a8b0f57f269df999a28087fce6f2b6ce, ad081928a8b0f57f269df999a28087fce6f2b6ce, ad081928a8b0f57f269df999a28087fce6f2b6ce, 6.1.141, 6.6.93unaffected
LinuxLinux6.10, 0, 6.1.159, 6.6.117, 6.12.59, 6.17.9, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.