{
  "threat_severity" : "Moderate",
  "public_date" : "2025-08-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sunrpc: fix client side handling of tls alerts",
    "id" : "2389480",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2389480"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsunrpc: fix client side handling of tls alerts\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr's\niterator's kvec.\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv." ],
  "statement" : "A remotely reachable bug in the SUNRPC NFS-over-TLS client allowed a server to trigger a kernel crash by sending a TLS alert when the client assumed a valid control kvec in the message iterator. It requires NFS over TLS to be enabled on the client.\nExploitation is only possible in configurations where NFS over TLS is enabled, as the bug lies in the handling of TLS alert control messages in sunrpc. A remote attacker controlling an NFS/TLS session could send a crafted TLS alert to trigger a kernel crash on the client, leading to denial of service. However, since NFS over TLS is not enabled by default on most systems, the practical severity is lower unless explicitly deployed.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-20T00:00:00Z",
    "advisory" : "RHSA-2025:18318",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.40.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-20T00:00:00Z",
    "advisory" : "RHSA-2025:18281",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.55.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21112",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.7.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-20T00:00:00Z",
    "advisory" : "RHSA-2025:18281",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.55.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21112",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.7.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-10-27T00:00:00Z",
    "advisory" : "RHSA-2025:19104",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.96.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38571\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38571\nhttps://lore.kernel.org/linux-cve-announce/2025081910-CVE-2025-38571-ba2a@gregkh/T" ],
  "name" : "CVE-2025-38571",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sunrpc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}