CVE-2025-38232 in Linux
Summary
by MITRE • 07/04/2025
In the Linux kernel, the following vulnerability has been resolved:
NFSD: fix race between nfsd registration and exports_proc
As of now nfsd calls create_proc_exports_entry() at start of init_nfsd and cleanup by remove_proc_entry() at last of exit_nfsd.
Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd
for 5.4 kernel ARM64:
CPU 1: el1_irq+0xbc/0x180 arch_counter_get_cntvct+0x14/0x18 running_clock+0xc/0x18 preempt_count_add+0x88/0x110 prep_new_page+0xb0/0x220 get_page_from_freelist+0x2d8/0x1778 __alloc_pages_nodemask+0x15c/0xef0 __vmalloc_node_range+0x28c/0x478 __vmalloc_node_flags_caller+0x8c/0xb0 kvmalloc_node+0x88/0xe0 nfsd_init_net+0x6c/0x108 [nfsd]
ops_init+0x44/0x170 register_pernet_operations+0x114/0x270 register_pernet_subsys+0x34/0x50 init_nfsd+0xa8/0x718 [nfsd]
do_one_initcall+0x54/0x2e0
CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
PC is at : exports_net_open+0x50/0x68 [nfsd]
Call trace: exports_net_open+0x50/0x68 [nfsd]
exports_proc_open+0x2c/0x38 [nfsd]
proc_reg_open+0xb8/0x198 do_dentry_open+0x1c4/0x418 vfs_open+0x38/0x48 path_openat+0x28c/0xf18 do_filp_open+0x70/0xe8 do_sys_open+0x154/0x248
Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().
and same is happening on latest 6.14 kernel as well:
[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty
... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48
... [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4
... [ 285.469695] Call trace:
[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)
[ 285.470488] seq_read+0xe0/0x11c
[ 285.470675] proc_reg_read+0x9c/0xf0
[ 285.470874] vfs_read+0xc4/0x2fc
[ 285.471057] ksys_read+0x6c/0xf4
[ 285.471231] __arm64_sys_read+0x1c/0x28
[ 285.471428] invoke_syscall+0x44/0x100
[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0
[ 285.471870] do_el0_svc_compat+0x1c/0x34
[ 285.472073] el0_svc_compat+0x2c/0x80
[ 285.472265] el0t_32_sync_handler+0x90/0x140
[ 285.472473] el0t_32_sync+0x19c/0x1a0
[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)
[ 285.473422] ---[ end trace 0000000000000000 ]---
It reproduced simply with below script: while [ 1 ]
do /exportfs -r done &
while [ 1 ]
do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done &
So exporting interfaces to user space shall be done at last and cleanup at first place.
With change there is no Kernel OOPs.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/14/2025
The vulnerability described in CVE-2025-38232 represents a race condition within the Linux kernel's Network File System Daemon (NFSD) implementation that leads to kernel oops and potential system instability. This issue occurs specifically during the initialization and cleanup phases of the NFSD service when managing the /proc/fs/nfsd export interface. The root cause stems from improper ordering of operations during the registration and removal of proc entries, creating a window where concurrent access to the nfsd exports interface can result in null pointer dereferences and memory access violations. The vulnerability manifests when the kernel's NFSD subsystem attempts to create and manage proc entries while simultaneously handling user-space operations through exportfs and mount commands targeting the nfsd proc filesystem.
The technical flaw occurs due to a lack of proper synchronization between the initialization sequence of nfsd and the registration of proc entries in the kernel's proc filesystem. During the start of init_nfsd, create_proc_exports_entry() is called to establish the exports interface, but this process can race with user-space operations that attempt to access the same interface through mount -t nfsd commands. The race condition is particularly evident when exportfs -r operations occur concurrently with nfsd module loading and unloading cycles, creating a scenario where the proc entry structure may be partially initialized or already freed while concurrent access attempts occur. This timing issue results in NULL pointer dereferences at specific kernel addresses, with crashes occurring either in exports_net_open() or cache_seq_next_rcu() functions, both of which are part of the NFSD's proc filesystem interface implementation.
The operational impact of this vulnerability extends beyond simple kernel oops, potentially leading to system crashes and service disruption in environments heavily reliant on NFS functionality. Attackers could exploit this race condition to cause denial of service conditions by repeatedly triggering the conflicting operations, effectively exhausting system resources or causing the kernel to panic. The vulnerability affects both kernel versions 5.4 and 6.14, indicating it has persisted across multiple kernel releases and likely impacts a wide range of Linux distributions. This type of race condition is particularly concerning in production environments where NFS services are critical for file sharing and storage operations, as it could allow malicious users or attackers to destabilize the system through carefully crafted concurrent access patterns.
The vulnerability aligns with CWE-362, which describes race conditions in concurrent programming, and maps to ATT&CK technique T1499.004, which covers network denial of service attacks. The fix for this vulnerability involves reordering the registration and cleanup operations to ensure that proc interface creation occurs only after all necessary initialization is complete and that cleanup operations are performed before any further registration attempts. This proper ordering prevents the scenario where user-space operations can access partially initialized or already destroyed proc entries, thereby eliminating the null pointer dereference conditions. The solution implements a more robust synchronization mechanism that ensures the nfsd exports interface is fully established before allowing concurrent access, and properly cleans up before allowing new initialization cycles to begin. This fix addresses the fundamental ordering issue that allowed the race condition to occur and prevents the kernel from crashing during concurrent access patterns that previously triggered the vulnerability.