oss-sec mailing list archives

Hello,

A security vulnerability in the Linux kernel SUNRPC subsystem has been
assigned CVE-2025-38089. This issue allows a remote attacker to
trigger a kernel crash (NULL pointer dereference) by sending a
specially crafted RPC request to an affected NFS server.

Details:
- CVE: CVE-2025-38089
- Subsystem: NFS/SUNRPC
- Impact: Remote Denial of Service (kernel crash)
- Affected versions: Mainline Linux kernel since commit
29cd2927fb914cc53b5ba4f67d2b74695c994ba4 up to and including versions
before the fix
- Fixed in: Upstream commit 94d10a4dba0bc482f2b01e39f06d5513d0f75742

Description:
A remote attacker can cause a NULL pointer dereference and crash the
kernel by sending a specially crafted RPC request to a vulnerable NFS
server. The vulnerability is due to improper handling of the
`rqstp->rq_accept_statp` pointer, which may remain NULL and be
dereferenced in error handling code paths. In some cases, this could
also result in a use-after-free.

Reproducer:
A public proof-of-concept (PoC) is available at:
https://github.com/keymaker-arch/NFSundown

Timeline:
- Reported to Linux kernel community: 2025-06-16
- Patch merged upstream: 2025-06-22
- CVE assigned and public: 2025-06-30

Best regards,
Tianshuo Han

Current thread:

• CVE-2025-38089: Linux kernel: NFS server remote DoS via NULL pointer dereference tianshuo han (Jul 02)