CVE-2025-22025 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
nfsd: put dl_stid if fail to queue dl_recall
Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability described in CVE-2025-22025 affects the Linux kernel's Network File System version 4 daemon implementation, specifically within the nfsd subsystem. This issue represents a memory leak scenario that occurs during the handling of delegation recalls in NFSv4 operations. The flaw manifests when the kernel attempts to queue a delegation recall callback but fails to properly manage reference counts for state identifiers, leading to unreferenced objects that remain allocated in memory. The vulnerability directly impacts the nfsd service which handles NFSv4 requests and manages client-server communication for file operations.
The technical root cause stems from improper reference count management in the delegation recall mechanism. When processing delegation operations, the kernel increments the reference count of a delegation state identifier (dl_stid) before attempting to queue a recall callback using nfsd4_run_cb. However, if this callback queuing operation fails, the reference count is never decremented, resulting in a memory leak. This pattern violates standard memory management practices and creates a persistent resource leak that accumulates over time. The vulnerability is particularly concerning because it affects core kernel memory management structures and can lead to progressive memory exhaustion, especially under sustained NFS load conditions.
The operational impact of this vulnerability extends beyond simple memory consumption, potentially affecting system stability and performance. As the memory leak accumulates, the system may experience degraded performance, increased memory pressure, and eventually resource exhaustion that could impact other services. The leaked objects represent state identifiers for NFSv4 delegations, which are critical for maintaining client-server state consistency. Attackers could potentially exploit this leak to cause denial of service conditions by triggering repeated allocation failures, though the direct attack surface is limited to scenarios involving NFS delegation operations. The vulnerability demonstrates a classic memory management error where proper cleanup routines are not executed on failure paths, creating a persistent resource leak.
The fix implemented addresses the core issue by adding a result check for the nfsd4_run_cb function call. When this function fails to queue the delegation recall, the system now properly calls nfs4_put_stid to decrement the reference count and release the associated memory. This remediation follows established best practices for error handling in kernel space, ensuring that all allocated resources are properly cleaned up regardless of success or failure outcomes. The solution aligns with common software engineering principles for resource management and follows the principle of least privilege in kernel operations. The fix is minimal and targeted, addressing only the specific path where the leak occurs without altering broader functionality. This approach reduces the risk of introducing new issues while effectively resolving the memory leak problem. The vulnerability can be classified under CWE-401 as "Improper Release of Memory Before Removing Last Reference" and relates to techniques described in the ATT&CK framework under privilege escalation and resource exhaustion attack patterns.