Linux Kernel vsock Socket Binding Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's virtual socket (vsock) implementation. This issue arises because socket bindings are not properly managed during transport reassignment, allowing for a use-after-free condition. The vulnerability occurs in the vsock_create function, where the reference count of a socket is improperly handled, leading to a memory safety issue. When the socket is released, it can be accessed after being freed, potentially causing undefined behavior or exploitation.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can be leveraged to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a vsock socket, binding it to a specific context ID and port, and then triggering a transport reassignment. This process can be automated with a script that manages the socket lifecycle and manipulates the reference counts, ultimately exploiting the use-after-free condition to execute arbitrary code.