CVE-2025-38724 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF.
Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability identified as CVE-2025-38724 represents a critical race condition within the Linux kernel's Network File System daemon implementation, specifically affecting the nfsd4_setclientid_confirm() function. This flaw arises from inadequate error handling when managing client references during NFSv4 protocol operations, creating potential for use-after-free conditions that could be exploited by malicious actors. The vulnerability demonstrates a fundamental failure in resource management where the system does not properly validate the success of client reference acquisition before proceeding with subsequent operations.
The technical implementation flaw occurs when the nfsd4_setclientid_confirm() function fails to properly check the return value from the get_client_locked() call. This function is responsible for managing client state transitions in the NFSv4 server implementation, where clients must transition from unconfirmed to confirmed states during the SETCLIENTID_CONFIRM operation. When a race condition occurs between a SETCLIENTID_CONFIRM request and an existing confirmed client expiring, the get_client_locked() call may fail to acquire a proper reference to the client, leaving the system in an inconsistent state where subsequent operations might attempt to access freed memory locations. This represents a classic use-after-free vulnerability pattern that can lead to arbitrary code execution or system crashes.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable remote code execution within the kernel space. Attackers could exploit this race condition by carefully timing their SETCLIENTID_CONFIRM requests to coincide with client expiration events, thereby triggering the failure path where the system attempts to use a freed client reference. The vulnerability affects systems running Linux kernels with NFSv4 server implementations, particularly those handling high volumes of concurrent client connections where race conditions are more likely to occur. This flaw directly relates to CWE-416, Use After Free, and CWE-362, Concurrent Execution using Shared Resource with Improper Synchronization, making it a serious security concern for network services.
The fix implemented addresses this vulnerability by ensuring proper reference management early in the confirmation process. When an existing confirmed client is present, the system now explicitly attempts to acquire a reference before proceeding with operations, and if this fails, it treats the scenario as if no confirmed client existed at all. This approach follows defensive programming principles and ensures that all resource access operations are properly validated. For cases where unconfirmed clients are expiring, the system simply fails and returns the result from get_client_locked(), maintaining consistency with the error handling patterns established in the kernel's networking subsystem. The solution aligns with ATT&CK technique T1059.003, Command and Scripting Interpreter: Windows Command Shell, in the context of kernel-level exploitation, though the specific implementation focuses on proper resource management rather than command execution. This remediation ensures that the NFSv4 server maintains proper synchronization between client state transitions and reference counting, preventing the race condition that led to the vulnerability. The fix demonstrates adherence to proper kernel security practices by ensuring that all operations on shared resources are protected by appropriate locking mechanisms and that error conditions are handled gracefully without leaving the system in an inconsistent state.