CVE-2025-38567 in Linuxinfo

Summary

by MITRE • 08/19/2025

In the Linux kernel, the following vulnerability has been resolved:

nfsd: avoid ref leak in nfsd_open_local_fh()

If two calls to nfsd_open_local_fh() race and both successfully call nfsd_file_acquire_local(), they will both get an extra reference to the net to accompany the file reference stored in *pnf.

One of them will fail to store (using xchg()) the file reference in *pnf and will drop that reference but WON'T drop the accompanying reference to the net. This leak means that when the nfs server is shut down it will hang in nfsd_shutdown_net() waiting for &nn->nfsd_net_free_done.

This patch adds the missing nfsd_net_put().

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 12/15/2025

The vulnerability CVE-2025-38567 represents a reference counting issue within the Linux kernel's NFS server implementation that can lead to resource leaks and potential system instability. This flaw specifically affects the nfsd_open_local_fh() function which is responsible for handling local file handle operations in the Network File System daemon. The issue manifests when concurrent operations attempt to access the same file handle simultaneously, creating a race condition that results in improper reference management. The vulnerability is classified under CWE-404 as an improper resource management issue, specifically involving reference counting errors that can cause memory leaks and resource exhaustion.

The technical flaw occurs at the intersection of concurrent execution and resource management within the NFS daemon's internal state handling. When two or more threads execute nfsd_open_local_fh() simultaneously and both successfully acquire local file references through nfsd_file_acquire_local(), the race condition causes one of the operations to fail in properly storing the file reference in the target pointer. While the failed operation correctly drops its own file reference, it fails to release the accompanying network reference that was acquired during the process. This creates a dangling reference to the network structure that persists beyond the normal lifecycle of the NFS service.

The operational impact of this vulnerability extends beyond simple resource leakage to potentially cause complete system hangs during NFS service shutdown operations. When the NFS server attempts to terminate its network services through nfsd_shutdown_net(), it waits indefinitely for the nn->nfsd_net_free_done synchronization primitive. This occurs because the leaked network reference prevents the proper cleanup of the network structure, causing the shutdown process to stall indefinitely. The vulnerability essentially creates a deadlock scenario that can render the NFS service unresponsive and potentially affect overall system stability, particularly in environments where NFS services are heavily utilized.

Mitigation strategies for CVE-2025-38567 involve implementing proper reference counting mechanisms and ensuring that all acquired resources are properly released regardless of execution paths. The patch addresses this by adding the missing nfsd_net_put() call that ensures network references are properly decremented even when file reference storage operations fail. This fix aligns with ATT&CK technique T1490 which involves resource exhaustion attacks, as the vulnerability could be exploited to exhaust system resources through sustained concurrent access patterns. Organizations should prioritize applying the kernel patch immediately, while also implementing monitoring for abnormal NFS service behavior and resource consumption patterns that could indicate the presence of this vulnerability in unpatched systems.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00103

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!