CVE-2025-38724
HIGHLinux Kernel - Use-After-Free in nfsd4_setclientid_confirm
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked().
References (13)
Core 13
Core References
Third Party Advisory, Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Third Party Advisory, Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
Scores
CVSS v3
7.8
EPSS
0.0003
EPSS Percentile
7.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (30)
debian/debian_linux
11.0
linux/Kernel
3.17.0 - 5.4.297linux
linux/Kernel
5.11.0 - 5.15.190linux
linux/Kernel
5.16.0 - 6.1.149linux
linux/Kernel
5.5.0 - 5.10.241linux
linux/Kernel
6.13.0 - 6.15.11linux
linux/Kernel
6.16.0 - 6.16.2linux
linux/Kernel
6.2.0 - 6.6.103linux
linux/Kernel
6.7.0 - 6.12.43linux
Linux/Linux
< 3.17
... and 20 more
Published
Sep 04, 2025
Tracked Since
Feb 18, 2026