CVE-2025-40212
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-25
Generated
2026-05-07
AI Q&A
2025-11-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40212
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a refcount leak in the Linux kernel's nfsd component, specifically in the function nfsd_set_fh_dentry(). The nfsd exports a pseudo root filesystem used by NFSv4 clients to locate exported filesystems. NFSv3 clients do not have access to this pseudo root filesystem. However, if a v3 or v2 client uses a filehandle from the pseudo root filesystem, the function reports an error but still stores the export in a structure, leading to an extra reference being dropped later. This can cause a use-after-free condition and potentially a denial of service. The bug can only be triggered by a client synthesizing an incorrect filehandle, and normal NFS usage does not expose this issue. The fix involved moving assignments to occur only after all error cases are checked.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel's nfsd service, which may cause a denial of service (DoS). An attacker who crafts an incorrect filehandle could exploit this to crash the nfsd service or cause instability, potentially disrupting access to NFS-exported filesystems.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart