CVE-2025-38566 (GCVE-0-2025-38566)
Vulnerability from cvelistv5
Published
2025-08-19 17:02
Modified
2025-08-19 17:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.
Impacted products
Vendor Product Version
Linux Linux Version: 5e052dda121e2870dd87181783da4a95d7d2927b
Version: 5e052dda121e2870dd87181783da4a95d7d2927b
Version: 5e052dda121e2870dd87181783da4a95d7d2927b
Version: 5e052dda121e2870dd87181783da4a95d7d2927b
Version: 5e052dda121e2870dd87181783da4a95d7d2927b
Create a notification for this product.
   Linux Linux Version: 6.4
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T17:02:42.506Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
        },
        {
          "url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
        },
        {
          "url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
        }
      ],
      "title": "sunrpc: fix handling of server side tls alerts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38566",
    "datePublished": "2025-08-19T17:02:42.506Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-08-19T17:02:42.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38566\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:33.230\",\"lastModified\":\"2025-08-20T14:40:17.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsunrpc: fix handling of server side tls alerts\\n\\nScott Mayhew discovered a security exploit in NFS over TLS in\\ntls_alert_recv() due to its assumption it can read data from\\nthe msg iterator\u0027s kvec..\\n\\nkTLS implementation splits TLS non-data record payload between\\nthe control message buffer (which includes the type such as TLS\\naler or TLS cipher change) and the rest of the payload (say TLS\\nalert\u0027s level/description) which goes into the msg payload buffer.\\n\\nThis patch proposes to rework how control messages are setup and\\nused by sock_recvmsg().\\n\\nIf no control message structure is setup, kTLS layer will read and\\nprocess TLS data record types. As soon as it encounters a TLS control\\nmessage, it would return an error. At that point, NFS can setup a\\nkvec backed msg buffer and read in the control message such as a\\nTLS alert. Msg iterator can advance the kvec pointer as a part of\\nthe copy process thus we need to revert the iterator before calling\\ninto the tls_alert_recv.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: correcci\u00f3n del manejo de las alertas tls del lado del servidor Scott Mayhew descubri\u00f3 un exploit de seguridad en NFS sobre TLS en tls_alert_recv() debido a su suposici\u00f3n de que puede leer datos del kvec del iterador msg. La implementaci\u00f3n de kTLS divide el payload del registro no de datos de TLS entre el b\u00fafer de mensajes de control (que incluye el tipo como la alerta TLS o el cambio de cifrado TLS) y el resto del payload (por ejemplo, el nivel/descripci\u00f3n de la alerta TLS) que va al b\u00fafer de payload msg. Este parche propone volver a trabajar c\u00f3mo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leer\u00e1 y procesar\u00e1 los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolver\u00e1 un error. En ese punto, NFS puede configurar un b\u00fafer de mensajes respaldado por kvec y leer el mensaje de control como una alerta TLS. El iterador Msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, debemos revertir el iterador antes de llamar a tls_alert_recv.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…