{ "threat_severity" : "Moderate", "public_date" : "2025-09-04T00:00:00Z", "bugzilla" : { "description" : "kernel: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()", "id" : "2393172", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393172" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-367", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked().", "A vulnerability has been identified in the Linux kernel's Network File System (NFS) daemon that could allow for a Denial of Service and in worst case scenario Arbitrary Code Execution. This Use-After-Free flaw arises from a race condition when the kernel handles the confirmation of an NFS client identifier. If an NFS client is expiring while this confirmation is in progress, the system can attempt to use memory that is no longer allocated." ], "statement" : "This flaw was rated as having a Moderate impact by the Red Hat Product Security team. Although it could ultimately lead to an arbitrary code execution the prerequisite of winning a race condition makes it complex to exploit, additionally the attacker would need to perform some reconnaissance of the victim's machine memory layout in order to be able to fully create a in-memory payload that could be further executed by the Linux Kernel NFS driver.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22395", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.16.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2025-12-02T00:00:00Z", "advisory" : "RHSA-2025:22571", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.47.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22387", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.87.1.rt7.428.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22388", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.87.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23445", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.178.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23463", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.182.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23463", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.182.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23000", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.172.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23000", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.172.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23000", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.172.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0532", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.124.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0532", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.124.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22405", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.11.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22405", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.11.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0576", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.161.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0537", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.161.1.rt21.233.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0535", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.152.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0534", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.152.1.rt14.437.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-01-13T00:00:00Z", "advisory" : "RHSA-2026:0489", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.106.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22392", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.69.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38724\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38724\nhttps://lore.kernel.org/linux-cve-announce/2025090401-CVE-2025-38724-5309@gregkh/T" ], "name" : "CVE-2025-38724", "csaw" : false }