![]() |
|
Message-ID: <CAG=tWCQOnWd+7OBpc6RciWTeZbB91=sWSpANRhZOZY9PG-Lgow@mail.gmail.com> Date: Wed, 2 Jul 2025 17:41:42 +0800 From: tianshuo han <hantianshuo233@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2025-38089: Linux kernel: NFS server remote DoS via NULL pointer dereference Hello, A security vulnerability in the Linux kernel SUNRPC subsystem has been assigned CVE-2025-38089. This issue allows a remote attacker to trigger a kernel crash (NULL pointer dereference) by sending a specially crafted RPC request to an affected NFS server. Details: - CVE: CVE-2025-38089 - Subsystem: NFS/SUNRPC - Impact: Remote Denial of Service (kernel crash) - Affected versions: Mainline Linux kernel since commit 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 up to and including versions before the fix - Fixed in: Upstream commit 94d10a4dba0bc482f2b01e39f06d5513d0f75742 Description: A remote attacker can cause a NULL pointer dereference and crash the kernel by sending a specially crafted RPC request to a vulnerable NFS server. The vulnerability is due to improper handling of the `rqstp->rq_accept_statp` pointer, which may remain NULL and be dereferenced in error handling code paths. In some cases, this could also result in a use-after-free. Reproducer: A public proof-of-concept (PoC) is available at: https://github.com/keymaker-arch/NFSundown Timeline: - Reported to Linux kernel community: 2025-06-16 - Patch merged upstream: 2025-06-22 - CVE assigned and public: 2025-06-30 Best regards, Tianshuo Han
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.