CVE-2025-38089
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-30

Last updated on: 2025-11-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble. The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531 says that if authentication fails that the RPC should be rejected instead with a status of AUTH_ERR. Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This sidesteps the whole problem of touching the rpc_accept_statp pointer in this situation and avoids the crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-30
Last Modified
2025-11-19
Generated
2026-05-07
AI Q&A
2025-06-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38089
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.4
linux linux_kernel 6.4
linux linux_kernel 6.4
linux linux_kernel 6.4
linux linux_kernel 6.4
linux linux_kernel 6.4
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's sunrpc subsystem occurs when a client sends a specially crafted packet to a kernel RPC server. If the server's RPC reply decoding fails and returns SVC_GARBAGE without properly setting a pointer (rq_accept_statp), the kernel may dereference a NULL pointer or corrupt memory, causing a crash or memory scribble. The issue arises because the server treats SVC_GARBAGE as a GARBAGE_ARGS reply, but according to RFC 5531, it should reject the RPC with an AUTH_ERR status. The fix changes the handling of SVC_GARBAGE to return an AUTH_ERROR instead, preventing the crash.


How can this vulnerability impact me? :

This vulnerability can cause a remote crash of the Linux kernel RPC server or memory corruption, potentially leading to denial of service or instability on affected systems. An attacker could exploit this by sending specially crafted packets to trigger the crash or memory issues.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by handling SVC_GARBAGE returns as AUTH_ERROR with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS, which avoids kernel crashes. Immediate mitigation steps would include updating the Linux kernel to a version that includes this fix to prevent crashes caused by specially crafted RPC packets.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart