CVE-2025-40210 (GCVE-0-2025-40210)
Vulnerability from cvelistv5
Published
2025-11-21 10:21
Modified
2025-11-21 10:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c",
            "fs/nfsd/nfs4state.c",
            "fs/nfsd/nfs4xdr.c",
            "fs/nfsd/nfsd.h",
            "fs/nfsd/xdr4.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3ee7ce432289deac87b9d14e01f2fe6958f7f0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3e7f011c255582d7c914133785bbba1990441713",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c",
            "fs/nfsd/nfs4state.c",
            "fs/nfsd/nfs4xdr.c",
            "fs/nfsd/nfsd.h",
            "fs/nfsd/xdr4.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18-rc4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"\n\nI\u0027ve found that pynfs COMP6 now leaves the connection or lease in a\nstrange state, which causes CLOSE9 to hang indefinitely. I\u0027ve dug\ninto it a little, but I haven\u0027t been able to root-cause it yet.\nHowever, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on\nnumber of operations per NFSv4 COMPOUND\").\n\nTianshuo Han also reports a potential vulnerability when decoding\nan NFSv4 COMPOUND. An attacker can place an arbitrarily large op\ncount in the COMPOUND header, which results in:\n\n[   51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total\npages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),\nnodemask=(null),cpuset=/,mems_allowed=0\n\nwhen NFSD attempts to allocate the COMPOUND op array.\n\nLet\u0027s restore the operation-per-COMPOUND limit, but increased to 200\nfor now."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T10:21:35.540Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e7f011c255582d7c914133785bbba1990441713"
        }
      ],
      "title": "Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40210",
    "datePublished": "2025-11-21T10:21:35.540Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-11-21T10:21:35.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40210\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-11-21T11:15:49.110\",\"lastModified\":\"2025-11-21T11:15:49.110\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRevert \\\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\\\"\\n\\nI\u0027ve found that pynfs COMP6 now leaves the connection or lease in a\\nstrange state, which causes CLOSE9 to hang indefinitely. I\u0027ve dug\\ninto it a little, but I haven\u0027t been able to root-cause it yet.\\nHowever, I bisected to commit 48aab1606fa8 (\\\"NFSD: Remove the cap on\\nnumber of operations per NFSv4 COMPOUND\\\").\\n\\nTianshuo Han also reports a potential vulnerability when decoding\\nan NFSv4 COMPOUND. An attacker can place an arbitrarily large op\\ncount in the COMPOUND header, which results in:\\n\\n[   51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total\\npages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),\\nnodemask=(null),cpuset=/,mems_allowed=0\\n\\nwhen NFSD attempts to allocate the COMPOUND op array.\\n\\nLet\u0027s restore the operation-per-COMPOUND limit, but increased to 200\\nfor now.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3e7f011c255582d7c914133785bbba1990441713\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.