CVE-2025-22109

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A memory leak issue has been identified in the Linux kernel, specifically in the ax25 module. The problem occurs when using the autobind feature to bind an AX25 socket, leading to memory leaks in ax25 connect() and refcount leaks in ax25 release(). This issue was detected using kmemleak and reported by Syzkaller. The autobind feature has been removed as it was considered broken and prone to various memory bugs. As a result, calling connect() without first binding the socket will now result in an error.

Recommendations For Linux kernel versions prior to the fixed version, consider updating to a newer version that includes the fix for this issue. As a temporary workaround, consider disabling the autobind feature for AX25 sockets to prevent memory leaks. Restrict access to the ax25 connect() function to minimize the risk of exploitation. Avoid using the connect() function without first binding the socket to prevent errors.