Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAG=tWCQOnWd+7OBpc6RciWTeZbB91=sWSpANRhZOZY9PG-Lgow@mail.gmail.com>
Date: Wed, 2 Jul 2025 17:41:42 +0800
From: tianshuo han <hantianshuo233@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-38089: Linux kernel: NFS server remote DoS via NULL pointer dereference

Hello,

A security vulnerability in the Linux kernel SUNRPC subsystem has been
assigned CVE-2025-38089. This issue allows a remote attacker to
trigger a kernel crash (NULL pointer dereference) by sending a
specially crafted RPC request to an affected NFS server.

Details:
- CVE: CVE-2025-38089
- Subsystem: NFS/SUNRPC
- Impact: Remote Denial of Service (kernel crash)
- Affected versions: Mainline Linux kernel since commit
29cd2927fb914cc53b5ba4f67d2b74695c994ba4 up to and including versions
before the fix
- Fixed in: Upstream commit 94d10a4dba0bc482f2b01e39f06d5513d0f75742

Description:
A remote attacker can cause a NULL pointer dereference and crash the
kernel by sending a specially crafted RPC request to a vulnerable NFS
server. The vulnerability is due to improper handling of the
`rqstp->rq_accept_statp` pointer, which may remain NULL and be
dereferenced in error handling code paths. In some cases, this could
also result in a use-after-free.

Reproducer:
A public proof-of-concept (PoC) is available at:
https://github.com/keymaker-arch/NFSundown

Timeline:
- Reported to Linux kernel community: 2025-06-16
- Patch merged upstream: 2025-06-22
- CVE assigned and public: 2025-06-30

Best regards,
Tianshuo Han

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.