CVE-2025-38430

MEDIUM

Linux Kernel - Denial of Service in NFSv4 Compound Request Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure.

References (11)

Core 11

Core References

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Patch

https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19

Patch

https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9

Patch

https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f

Patch

https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603

Patch

https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517

Patch

https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4

Patch

https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af

Patch

https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-082556.html

Scores

CVSS v3 5.5

EPSS 0.0009

EPSS Percentile 25.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published

Products (27)

debian/debian_linux 11.0

linux/Kernel 4.8.0 - 5.4.295linux

linux/Kernel 5.11.0 - 5.15.186linux

linux/Kernel 5.16.0 - 6.1.142linux

linux/Kernel 5.5.0 - 5.10.239linux

linux/Kernel 6.13.0 - 6.15.4linux

linux/Kernel 6.2.0 - 6.6.95linux

linux/Kernel 6.7.0 - 6.12.35linux

Linux/Linux < 4.8

Linux/Linux 4.8

... and 17 more

Published Jul 25, 2025

Tracked Since Feb 18, 2026