{"api_version":"1","generated_at":"2026-07-06T01:27:50+00:00","cve":"CVE-2025-40214","urls":{"html":"https://cve.report/CVE-2025-40214","api":"https://cve.report/api/cve/CVE-2025-40214.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-40214","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-40214"},"summary":{"title":"af_unix: Initialise scc_index in unix_add_edge().","description":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n  1)\n    1-a. Create a single cyclic reference with many sockets\n    1-b. close() all sockets\n    1-c. Trigger GC\n\n  2)\n    2-a. Pass sk-A to an embryo sk-B\n    2-b. Pass sk-X to sk-X\n    2-c. Trigger GC\n\n  3)\n    3-a. accept() the embryo sk-B\n    3-b. Pass sk-B to sk-C\n    3-c. close() the in-flight sk-A\n    3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n  unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\n  unix_sk(sk-X)->vertex->scc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B's listener and sk-C are not in-flight.\n\n3-c decrements sk-A's file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n  sk-A -> sk-B (-> sk-C)\n  sk-X -> sk-X\n\nThis is totally fine.  All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n  unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\n  &&\n  sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\n                                       ^-- 1 in-flight count for sk-B\n  -> sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet's track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex's scc_index.\n\nThis way, we can continue to avoid Tarjan's algorithm while\npreventing misjudgments.","state":"PUBLISHED","assigner":"Linux","published_at":"2025-12-04 13:15:48","updated_at":"2026-06-12 10:16:20"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3","name":"https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d","name":"https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d","name":"https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791","name":"https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128","name":"https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://mohandacherir.github.io/Qdiv7/posts/unix_new_gc/","name":"https://mohandacherir.github.io/Qdiv7/posts/unix_new_gc/","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-40214","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40214","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected adfb68b39b39767d6bfb53e48c4f19c183765686 20003fbb9174121b27bd1da6ebe61542ac4c327d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d23802221f6755e104606864067c71af8cdb6788 4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ad081928a8b0f57f269df999a28087fce6f2b6ce db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ad081928a8b0f57f269df999a28087fce6f2b6ce 1aa7e40ee850c9053e769957ce6541173891204d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ad081928a8b0f57f269df999a28087fce6f2b6ce 60e6489f8e3b086bd1130ad4450a2c112e863791 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.141 6.1.159 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.93 6.6.117 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.159 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.117 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.59 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.17.9 6.17.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V4.0 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"40214","cve":"CVE-2025-40214","epss":"0.001640000","percentile":"0.059430000","score_date":"2026-06-18","updated_at":"2026-06-19 00:08:13"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V4.0","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-06-02T12:59:56.598Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/unix/garbage.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"20003fbb9174121b27bd1da6ebe61542ac4c327d","status":"affected","version":"adfb68b39b39767d6bfb53e48c4f19c183765686","versionType":"git"},{"lessThan":"4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3","status":"affected","version":"d23802221f6755e104606864067c71af8cdb6788","versionType":"git"},{"lessThan":"db81ad20fd8aef7cc7d536c52ee5ea4c1f979128","status":"affected","version":"ad081928a8b0f57f269df999a28087fce6f2b6ce","versionType":"git"},{"lessThan":"1aa7e40ee850c9053e769957ce6541173891204d","status":"affected","version":"ad081928a8b0f57f269df999a28087fce6f2b6ce","versionType":"git"},{"lessThan":"60e6489f8e3b086bd1130ad4450a2c112e863791","status":"affected","version":"ad081928a8b0f57f269df999a28087fce6f2b6ce","versionType":"git"},{"lessThan":"6.1.159","status":"affected","version":"6.1.141","versionType":"semver"},{"lessThan":"6.6.117","status":"affected","version":"6.6.93","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/unix/garbage.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.10"},{"lessThan":"6.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.159","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.117","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.59","versionType":"semver"},{"lessThanOrEqual":"6.17.*","status":"unaffected","version":"6.17.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.18","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.159","versionStartIncluding":"6.1.141","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.117","versionStartIncluding":"6.6.93","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.59","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.17.9","versionStartIncluding":"6.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18","versionStartIncluding":"6.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n  1)\n    1-a. Create a single cyclic reference with many sockets\n    1-b. close() all sockets\n    1-c. Trigger GC\n\n  2)\n    2-a. Pass sk-A to an embryo sk-B\n    2-b. Pass sk-X to sk-X\n    2-c. Trigger GC\n\n  3)\n    3-a. accept() the embryo sk-B\n    3-b. Pass sk-B to sk-C\n    3-c. close() the in-flight sk-A\n    3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n  unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\n  unix_sk(sk-X)->vertex->scc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B's listener and sk-C are not in-flight.\n\n3-c decrements sk-A's file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n  sk-A -> sk-B (-> sk-C)\n  sk-X -> sk-X\n\nThis is totally fine.  All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n  unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\n  &&\n  sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\n                                       ^-- 1 in-flight count for sk-B\n  -> sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet's track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex's scc_index.\n\nThis way, we can continue to avoid Tarjan's algorithm while\npreventing misjudgments."}],"providerMetadata":{"dateUpdated":"2026-06-12T08:31:42.408Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d"},{"url":"https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3"},{"url":"https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128"},{"url":"https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d"},{"url":"https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791"},{"url":"https://mohandacherir.github.io/Qdiv7/posts/unix_new_gc/"}],"title":"af_unix: Initialise scc_index in unix_add_edge().","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-40214","datePublished":"2025-12-04T12:38:31.601Z","dateReserved":"2025-04-16T07:20:57.179Z","dateUpdated":"2026-06-12T08:31:42.408Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-12-04 13:15:48","lastModifiedDate":"2026-06-12 10:16:20","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"40214","Ordinal":"1","Title":"af_unix: Initialise scc_index in unix_add_edge().","CVE":"CVE-2025-40214","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"40214","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n  1)\n    1-a. Create a single cyclic reference with many sockets\n    1-b. close() all sockets\n    1-c. Trigger GC\n\n  2)\n    2-a. Pass sk-A to an embryo sk-B\n    2-b. Pass sk-X to sk-X\n    2-c. Trigger GC\n\n  3)\n    3-a. accept() the embryo sk-B\n    3-b. Pass sk-B to sk-C\n    3-c. close() the in-flight sk-A\n    3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n  unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\n  unix_sk(sk-X)->vertex->scc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B's listener and sk-C are not in-flight.\n\n3-c decrements sk-A's file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n  sk-A -> sk-B (-> sk-C)\n  sk-X -> sk-X\n\nThis is totally fine.  All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n  unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\n  &&\n  sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\n                                       ^-- 1 in-flight count for sk-B\n  -> sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet's track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex's scc_index.\n\nThis way, we can continue to avoid Tarjan's algorithm while\npreventing misjudgments.","Type":"Description","Title":"af_unix: Initialise scc_index in unix_add_edge()."}]}}}