Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAG=tWCQOnWd+7OBpc6RciWTeZbB91=sWSpANRhZOZY9PG-Lgow@mail.gmail.com>
Date: Wed, 2 Jul 2025 17:41:42 +0800
From: tianshuo han <hantianshuo233@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-38089: Linux kernel: NFS server remote DoS via NULL pointer dereference

Hello,

A security vulnerability in the Linux kernel SUNRPC subsystem has been
assigned CVE-2025-38089. This issue allows a remote attacker to
trigger a kernel crash (NULL pointer dereference) by sending a
specially crafted RPC request to an affected NFS server.

Details:
- CVE: CVE-2025-38089
- Subsystem: NFS/SUNRPC
- Impact: Remote Denial of Service (kernel crash)
- Affected versions: Mainline Linux kernel since commit
29cd2927fb914cc53b5ba4f67d2b74695c994ba4 up to and including versions
before the fix
- Fixed in: Upstream commit 94d10a4dba0bc482f2b01e39f06d5513d0f75742

Description:
A remote attacker can cause a NULL pointer dereference and crash the
kernel by sending a specially crafted RPC request to a vulnerable NFS
server. The vulnerability is due to improper handling of the
`rqstp->rq_accept_statp` pointer, which may remain NULL and be
dereferenced in error handling code paths. In some cases, this could
also result in a use-after-free.

Reproducer:
A public proof-of-concept (PoC) is available at:
https://github.com/keymaker-arch/NFSundown

Timeline:
- Reported to Linux kernel community: 2025-06-16
- Patch merged upstream: 2025-06-22
- CVE assigned and public: 2025-06-30

Best regards,
Tianshuo Han

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.