{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40231","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.180Z","datePublished":"2025-12-04T15:31:22.199Z","dateUpdated":"2026-05-11T21:45:19.805Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:45:19.805Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport->release() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport->release() and vsock_deassign_transport(). This is safe\nbecause we don't need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won't disappear by\nobtaining a module reference first via try_module_get()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/vmw_vsock/af_vsock.c"],"versions":[{"version":"8667e8d0eb46bc54fdae30ba2f4786407d3d88eb","lessThan":"ce4f856c64f0bc30e29302a0ce41f4295ca391c5","status":"affected","versionType":"git"},{"version":"36a439049b34cca0b3661276049b84a1f76cc21a","lessThan":"09bba278ccde25a14b6e5088a9e65a8717d0cccf","status":"affected","versionType":"git"},{"version":"9ce53e744f18e73059d3124070e960f3aa9902bf","lessThan":"b44182c116778feaa05da52a426aeb9da1878dcf","status":"affected","versionType":"git"},{"version":"9d24bb6780282b0255b9929abe5e8f98007e2c6e","lessThan":"42ed0784d11adebf748711e503af0eb9f1e6d81d","status":"affected","versionType":"git"},{"version":"ae2c712ba39c7007de63cb0c75b51ce1caaf1da5","lessThan":"251caee792a21eb0b781aab91362b422c945e162","status":"affected","versionType":"git"},{"version":"687aa0c5581b8d4aa87fd92973e4ee576b550cdf","lessThan":"a2a4346eea8b4cb75037dbcb20b98cb454324f80","status":"affected","versionType":"git"},{"version":"687aa0c5581b8d4aa87fd92973e4ee576b550cdf","lessThan":"f7c877e7535260cc7a21484c994e8ce7e8cb6780","status":"affected","versionType":"git"},{"version":"7b73bddf54777fb62d4d8c7729d0affe6df04477","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/vmw_vsock/af_vsock.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.196","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.158","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.115","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.56","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.6","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.240","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.189","versionEndExcluding":"5.15.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.146","versionEndExcluding":"6.1.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.99","versionEndExcluding":"6.6.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.39","versionEndExcluding":"6.12.56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.17.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15.7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5"},{"url":"https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf"},{"url":"https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf"},{"url":"https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d"},{"url":"https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162"},{"url":"https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80"},{"url":"https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780"}],"title":"vsock: fix lock inversion in vsock_assign_transport()","x_generator":{"engine":"bippy-1.2.0"}}}}