LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68366: nbd: defer config unlock in nbd_genl_connect

In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); }

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel use-after-free in the Network Block Device path. A race between connecting an NBD device and clearing or closing its socket can leave kernel code increasing a freed reference counter. Business impact is unclear because the source does not provide CVSS, CWE, or confirmed exploit impact.

Executive priority

Treat as a kernel maintenance item with heightened priority for infrastructure using NBD. There is no source-backed evidence of active exploitation, but kernel memory-safety bugs can become operationally significant once impact is clarified.

Technical view

The bug is in nbd_genl_connect. During NBD_CMD_CONNECT, config_lock is released before refcount_inc on nbd->config_refs. Concurrent NBD_CLEAR_SOCK and close can drop config_refs to zero, producing a refcount addition-on-zero use-after-free warning. Stable kernel commits are referenced as the resolution.

Likely exposure

Exposure is most relevant to Linux systems using or permitting NBD operations. The bundle lists Linux kernel versions and branches including 4.12, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.63, 6.17.13, 6.18.2, and 6.19. Required privileges are not specified.

Exploitation context

The CVE source describes an easily reproduced race when artificial delay is added, but does not claim public exploitation. CISA KEV status is false in the bundle. No exploit code, real-world attacks, or confirmed impact beyond a use-after-free warning are provided.

Researcher notes

The key race is config_refs reaching zero after NBD_CLEAR_SOCK and close, before nbd_genl_connect increments it. The sources do not specify privilege boundaries, exploitability, denial-of-service behavior, or memory corruption consequences beyond the refcount use-after-free warning.

Mitigation direction

  • Update affected Linux kernels to builds containing the referenced stable fixes.
  • Prioritize hosts that use NBD or allow NBD device management.
  • Check distribution vendor advisories for packaged kernel availability and reboot requirements.
  • Limit NBD device access to trusted administrators where operationally possible.

Validation and detection

  • Inventory kernel versions across Linux hosts and appliances.
  • Identify systems with NBD modules, devices, or management workflows enabled.
  • Confirm installed kernels include the relevant stable fix for their branch.
  • Review kernel logs for NBD refcount or use-after-free warnings.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68366 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099, e46c7287b1c27683a8e30ca825fb98e2b97f1099unaffected
LinuxLinux4.12, 0, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.63, 6.17.13, 6.18.2, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.