Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-38232— NFSD: fix race between nfsd registration and exports_proc

EPSS 0.02% · P7
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38232

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
NFSD: fix race between nfsd registration and exports_proc
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix race between nfsd registration and exports_proc As of now nfsd calls create_proc_exports_entry() at start of init_nfsd and cleanup by remove_proc_entry() at last of exit_nfsd. Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd for 5.4 kernel ARM64: CPU 1: el1_irq+0xbc/0x180 arch_counter_get_cntvct+0x14/0x18 running_clock+0xc/0x18 preempt_count_add+0x88/0x110 prep_new_page+0xb0/0x220 get_page_from_freelist+0x2d8/0x1778 __alloc_pages_nodemask+0x15c/0xef0 __vmalloc_node_range+0x28c/0x478 __vmalloc_node_flags_caller+0x8c/0xb0 kvmalloc_node+0x88/0xe0 nfsd_init_net+0x6c/0x108 [nfsd] ops_init+0x44/0x170 register_pernet_operations+0x114/0x270 register_pernet_subsys+0x34/0x50 init_nfsd+0xa8/0x718 [nfsd] do_one_initcall+0x54/0x2e0 CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 PC is at : exports_net_open+0x50/0x68 [nfsd] Call trace: exports_net_open+0x50/0x68 [nfsd] exports_proc_open+0x2c/0x38 [nfsd] proc_reg_open+0xb8/0x198 do_dentry_open+0x1c4/0x418 vfs_open+0x38/0x48 path_openat+0x28c/0xf18 do_filp_open+0x70/0xe8 do_sys_open+0x154/0x248 Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). and same is happening on latest 6.14 kernel as well: [ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty ... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 ... [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 ... [ 285.469695] Call trace: [ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) [ 285.470488] seq_read+0xe0/0x11c [ 285.470675] proc_reg_read+0x9c/0xf0 [ 285.470874] vfs_read+0xc4/0x2fc [ 285.471057] ksys_read+0x6c/0xf4 [ 285.471231] __arm64_sys_read+0x1c/0x28 [ 285.471428] invoke_syscall+0x44/0x100 [ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 [ 285.471870] do_el0_svc_compat+0x1c/0x34 [ 285.472073] el0_svc_compat+0x2c/0x80 [ 285.472265] el0t_32_sync_handler+0x90/0x140 [ 285.472473] el0t_32_sync+0x19c/0x1a0 [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) [ 285.473422] ---[ end trace 0000000000000000 ]--- It reproduced simply with below script: while [ 1 ] do /exportfs -r done & while [ 1 ] do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done & So exporting interfaces to user space shall be done at last and cleanup at first place. With change there is no Kernel OOPs.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于nfsd注册与exports_proc之间存在竞争条件,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 ~ 49b57b98fa601ae6cc7897bab4515129da8290f7 -
LinuxLinux 5.12 -

II. Public POCs for CVE-2025-38232

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38232

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-07-04 · 59 CVEs total

CVE-2025-38215fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var
CVE-2025-38227media: vidtv: Terminating the subsequent process of initialization failure
CVE-2025-38230jfs: validate AG parameters in dbMount() to prevent crashes
CVE-2025-38228media: imagination: fix a potential memory leak in e5010_probe()
CVE-2025-38229media: cxusb: no longer judge rbuf when the write fails
CVE-2025-38231nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
CVE-2025-38219f2fs: prevent kernel warning due to negative i_nlink from corrupted image
CVE-2025-38218f2fs: fix to do sanity check on sit_bitmap_size
CVE-2025-38217hwmon: (ftsteutates) Fix TOCTOU race in fts_read()
CVE-2025-38216iommu/vt-d: Restore context entry setup order for aliased devices
CVE-2025-38221ext4: fix out of bounds punch offset
CVE-2025-38214fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
CVE-2025-38212ipc: fix to protect IPCS lookups using RCU
CVE-2025-38211RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
CVE-2025-38210configfs-tsm-report: Fix NULL dereference of tsm_ops
CVE-2025-38209nvme-tcp: remove tag set when second admin queue config fails
CVE-2025-38208smb: client: add NULL check in automount_fullpath
CVE-2025-38207mm: fix uprobe pte be overwritten when expanding vma
CVE-2025-38206exfat: fix double free in delayed_free
CVE-2025-38205drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1

Showing top 20 of 59 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38232

No comments yet

Leave a comment