{
  "threat_severity" : "Moderate",
  "public_date" : "2025-08-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sunrpc: fix handling of server side tls alerts",
    "id" : "2389487",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2389487"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-754",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsunrpc: fix handling of server side tls alerts\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv." ],
  "statement" : "A remotely reachable flaw in the SUNRPC NFS-over-TLS server could allow a client to trigger a kernel crash by sending a crafted TLS alert. The issue lies in how the kernel processes TLS control messages, which can lead to use-after-free or invalid memory accesses during alert handling.\nThe attack vector is network-based (AV:N), but the required privileges vary with deployment: in many configurations, a client must already possess valid credentials or a certificate to establish an NFS/TLS session, which corresponds to PR:L in CVSS. If the server is configured to accept connections without strict authentication, exploitation could occur with PR:N, but the more common and realistic scenario is PR:L.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-22T00:00:00Z",
    "advisory" : "RHSA-2025:16354",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.34.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-20T00:00:00Z",
    "advisory" : "RHSA-2025:18281",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.55.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21112",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.7.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-20T00:00:00Z",
    "advisory" : "RHSA-2025:18281",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.55.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21112",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.7.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-10-14T00:00:00Z",
    "advisory" : "RHSA-2025:17958",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.94.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38566\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38566\nhttps://lore.kernel.org/linux-cve-announce/2025081908-CVE-2025-38566-edef@gregkh/T" ],
  "name" : "CVE-2025-38566",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sunrpc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}