CVE-2025-22025

MEDIUM EPSS 7.3%
Published Apr 16, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 16, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
7.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel* <5.10.236
linuxlinux_kernel*≥5.11  –  <5.15.180
linuxlinux_kernel*≥5.16  –  <6.1.134
linuxlinux_kernel*≥6.2  –  <6.6.87
linuxlinux_kernel*≥6.7  –  <6.12.23
linuxlinux_kernel*≥6.13  –  <6.13.11
linuxlinux_kernel*≥6.14  –  <6.14.2

References 10

  • git.kernel.org https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
    Patch