CVE-2025-40210: Critical Vulnerability in Linux Kernel’s NFSv4 COMPOUND Handling

Overview

CVE-2025-40210 describes a vulnerability in the Linux kernel’s NFSv4 (Network File System version 4) implementation. Specifically, it relates to the handling of NFSv4 COMPOUND operations. The vulnerability arises from the removal of a previous limit on the number of operations allowed within a single NFSv4 COMPOUND request. This allows an attacker to craft a malicious NFSv4 request with an excessively large operation count, leading to potential denial-of-service conditions or other unexpected behavior.

Technical Details

The vulnerability was introduced when a patch aimed at improving NFSv4 performance by removing the cap on the number of operations per NFSv4 COMPOUND request was applied. This removal inadvertently allowed for the possibility of an attacker specifying an extremely large operation count in the COMPOUND header.

Tianshuo Han discovered that an attacker could exploit this by providing an arbitrarily large operation count in the NFSv4 COMPOUND header. When the NFS server (nfsd) attempts to allocate memory for the COMPOUND operation array, it could lead to a vmalloc error due to insufficient memory. The reported error message indicates the system attempting to allocate a massive amount of memory, far exceeding available resources:

[   51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total
pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),
nodemask=(null),cpuset=/,mems_allowed=0
        

Furthermore, another issue reported that some NFS clients (specifically, `pynfs COMP6`) may experience hangs or unexpected behavior after the removal of the operation limit.

CVSS Analysis

Due to the nature of the vulnerability and its dependence on system configuration and attack context, a CVSS score has not been formally assigned. However, the potential for denial-of-service makes this a notable security concern.

Severity: N/A

CVSS Score: N/A

Possible Impact

The most immediate impact is a potential denial-of-service (DoS) condition. An attacker could send a crafted NFSv4 COMPOUND request that forces the server to attempt to allocate an excessive amount of memory, potentially crashing the server or significantly degrading performance.

The other reported issue of hangs and unexpected behavior in `pynfs COMP6` indicates that the vulnerability could lead to data corruption or inconsistent state on the NFS client, depending on the operations being performed. Further analysis may be required to fully understand the impact.

Mitigation and Patch Steps

The vulnerability has been addressed by reverting the commit that removed the operation-per-COMPOUND limit. The patch restores the limit, but increases it to 200 to maintain some of the performance benefits while mitigating the vulnerability.

The recommended mitigation is to apply the patch that reverts commit 48aab1606fa8 (“NFSD: Remove the cap on number of operations per NFSv4 COMPOUND”). This patch is available in stable kernel releases. Ensure your system is updated to a kernel version containing this fix.

References

Kernel Commit: Revert “NFSD: Remove the cap on number of operations per NFSv4 COMPOUND” (3e7f011c255582d7c914133785bbba1990441713)
Kernel Commit: Revert “NFSD: Remove the cap on number of operations per NFSv4 COMPOUND” (b3ee7ce432289deac87b9d14e01f2fe6958f7f0b)