Linux Kernel Vulnerability in NFS Daemon Handling Client ID Confirmation
CVE-2025-38724

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-38724?

A flaw in the Linux kernel's NFS daemon handling of client ID confirmations has been identified, where the function nfsd4_setclientid_confirm() inadequately checks the result from get_client_locked(). This oversight may lead to a race condition between a SETCLIENTID_CONFIRM and a confirmed client’s expiration, potentially resulting in use-after-free scenarios. The vulnerability has been rectified by ensuring early reference acquisition in circumstances where a confirmed client exists. If that process fails, the system will treat it as if no confirmed client was present. In instances where unconfirmed clients are expiring, the function now properly fails and returns the result from get_client_locked() as intended.

Affected Version(s)

Linux d20c11d86d8f821a64eac7d6c8f296f06d935f4f < 3f252a73e81aa01660cb426735eab932e6182e8d

Linux d20c11d86d8f821a64eac7d6c8f296f06d935f4f

References

https://git.kernel.org/stable/c/3f252a73e81aa01660cb42673...

https://git.kernel.org/stable/c/d35ac850410966010e92f401f...

https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975f...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Apr 16, 2025