CVE-2025-40248
Description
In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2026-1143.html
Vendor advisory: alma — https://bugzilla.redhat.com/2422840
Vendor advisory: alma — https://bugzilla.redhat.com/2422836
Vendor advisory: alma — https://bugzilla.redhat.com/2419891
Vendor advisory: alma — https://bugzilla.redhat.com/2418876
Vendor advisory: alma — https://bugzilla.redhat.com/2393488
Vendor advisory: alma — https://bugzilla.redhat.com/2381870
Vendor advisory: alma — https://bugzilla.redhat.com/2376052
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2026-1148.html
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2026:1148
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2026-1142.html
Vendor advisory: alma — https://bugzilla.redhat.com/2419954
Vendor advisory: alma — https://bugzilla.redhat.com/2418872
Vendor advisory: alma — https://bugzilla.redhat.com/2414494
Vendor advisory: alma — https://bugzilla.redhat.com/2402193
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2026:1142
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-40248
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2026:1143
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-40248.html
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2026:3987
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2026:1143
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2026:1142
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2026:1148
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rocky | 8 | fixed | |
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 6.1.159-1 |
| debian | bullseye | fixed | 5.10.247-1 |
| debian | forky | fixed | 6.17.10-1 |
| debian | sid | fixed | 6.17.10-1 |
| debian | trixie | fixed | 6.12.63-1 |
References
- https://errata.rockylinux.org/RLSA-2026:1148
- https://errata.rockylinux.org/RLSA-2026:1142
- https://access.redhat.com/errata/RHSA-2026:1143
- https://access.redhat.com/errata/RHSA-2026:3987
- https://www.suse.com/security/cve/CVE-2025-40248.html
- https://errata.rockylinux.org/RLSA-2026:1143
- https://security-tracker.debian.org/tracker/CVE-2025-40248
- https://access.redhat.com/errata/RHSA-2026:1142
- https://bugzilla.redhat.com/2402193
- https://bugzilla.redhat.com/2414494
- https://bugzilla.redhat.com/2418872
- https://bugzilla.redhat.com/2419954
- https://errata.almalinux.org/8/ALSA-2026-1142.html
- https://access.redhat.com/errata/RHSA-2026:1148
- https://errata.almalinux.org/8/ALSA-2026-1148.html
- https://bugzilla.redhat.com/2376052
- https://bugzilla.redhat.com/2381870
- https://bugzilla.redhat.com/2393488
- https://bugzilla.redhat.com/2418876
- https://bugzilla.redhat.com/2419891
- https://bugzilla.redhat.com/2422836
- https://bugzilla.redhat.com/2422840
- https://errata.almalinux.org/9/ALSA-2026-1143.html
Verify integrity in audit chain (admin only). AS-IS.