CVE-2025-21749

net: rose: lock the socket in rose_bind()

Description

In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f3ff7d98ec577c969f687513
https://git.kernel.org/stable/c/ed00c5f907d08a647b8bf987514ad8c6b17971a7
https://git.kernel.org/stable/c/d308661a0f4e7c8e86dfc7074a55ee5894c61538
https://git.kernel.org/stable/c/667f61b3498df751c8b3f0be1637e7226cbe3ed0 patch
https://git.kernel.org/stable/c/e0384efd45f615603e6869205b72040c209e69cc patch
https://git.kernel.org/stable/c/970cd2ed26cdab2b0f15b6d90d7eaa36538244a5 patch
https://git.kernel.org/stable/c/4c04b0ab3a647e76d0e752b013de8e404abafc63 patch
https://git.kernel.org/stable/c/a1300691aed9ee852b0a9192e29e2bdc2411a7e6 patch

Frequently Asked Questions

What is the severity of CVE-2025-21749?
CVE-2025-21749 has been scored as a medium severity vulnerability.
How to fix CVE-2025-21749?
To fix CVE-2025-21749, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-21749 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21749 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21749?
CVE-2025-21749 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.