CVE-2025-68366: nbd: defer config unlock in nbd_genl_connect
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel use-after-free in the Network Block Device path. A race between connecting an NBD device and clearing or closing its socket can leave kernel code increasing a freed reference counter. Business impact is unclear because the source does not provide CVSS, CWE, or confirmed exploit impact.
Executive priority
Treat as a kernel maintenance item with heightened priority for infrastructure using NBD. There is no source-backed evidence of active exploitation, but kernel memory-safety bugs can become operationally significant once impact is clarified.
Technical view
The bug is in nbd_genl_connect. During NBD_CMD_CONNECT, config_lock is released before refcount_inc on nbd->config_refs. Concurrent NBD_CLEAR_SOCK and close can drop config_refs to zero, producing a refcount addition-on-zero use-after-free warning. Stable kernel commits are referenced as the resolution.
Likely exposure
Exposure is most relevant to Linux systems using or permitting NBD operations. The bundle lists Linux kernel versions and branches including 4.12, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.63, 6.17.13, 6.18.2, and 6.19. Required privileges are not specified.
Exploitation context
The CVE source describes an easily reproduced race when artificial delay is added, but does not claim public exploitation. CISA KEV status is false in the bundle. No exploit code, real-world attacks, or confirmed impact beyond a use-after-free warning are provided.
Researcher notes
The key race is config_refs reaching zero after NBD_CLEAR_SOCK and close, before nbd_genl_connect increments it. The sources do not specify privilege boundaries, exploitability, denial-of-service behavior, or memory corruption consequences beyond the refcount use-after-free warning.
Mitigation direction
Update affected Linux kernels to builds containing the referenced stable fixes.
Prioritize hosts that use NBD or allow NBD device management.
Check distribution vendor advisories for packaged kernel availability and reboot requirements.
Limit NBD device access to trusted administrators where operationally possible.
Validation and detection
Inventory kernel versions across Linux hosts and appliances.
Identify systems with NBD modules, devices, or management workflows enabled.
Confirm installed kernels include the relevant stable fix for their branch.
Review kernel logs for NBD refcount or use-after-free warnings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68366 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.