Overview
CVE-2025-40212 describes a refcount leak vulnerability found in the Network File System daemon (NFSd) implementation within the Linux kernel. Specifically, the issue resides within the nfsd_set_fh_dentry() function. This flaw could potentially lead to a use-after-free condition and a subsequent denial-of-service (DoS) attack. The vulnerability primarily affects scenarios where NFSv3 (or v2) clients interact with the pseudo root filesystem, which is normally reserved for NFSv4.
Technical Details
The vulnerability arises due to an error handling issue in nfsd_set_fh_dentry(). When a version 3 (or version 2) NFS client attempts to utilize a filehandle originating from the NFSd’s pseudo root filesystem, the function correctly reports an error. However, it continues to store the associated export information in the struct svc_fh structure, even after dropping the reference count using exp_put(). This results in an imbalance of reference counts. Later, when fh_put() is invoked, an excessive reference is dropped, leading to a potential use-after-free condition.
It’s crucial to note that this vulnerability isn’t triggered by typical NFS usage patterns. It requires the client to craft or synthesize an incorrect filehandle to exploit the flaw.
CVSS Analysis
Currently, a CVSS score has not been assigned for CVE-2025-40212. However, based on the description, the potential for denial of service suggests a moderate severity. A deeper analysis of the exploitability and impact would be required to determine a more accurate CVSS score.
Possible Impact
The most likely impact of exploiting CVE-2025-40212 is a denial-of-service (DoS) condition on the affected system. An attacker could potentially craft specific NFS requests with malformed filehandles, triggering the refcount leak and ultimately crashing the NFSd service. While the prerequisites for exploitation are somewhat specific (requiring a crafted filehandle), the potential for disruption is significant.
Mitigation or Patch Steps
The vulnerability has been addressed in the Linux kernel. The fix involves rearranging the code within nfsd_set_fh_dentry() to delay the assignment of values to the svc_fh structure until after all potential error conditions have been checked. Kernel updates containing these fixes should be applied as soon as possible.
Specifically, look for the following commits in your kernel version:
- 8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c
- b6bc86ce3944b10b9fc181fc00c1a520a20ed965
- c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2
To mitigate the risk before patching, consider restricting NFSv3 access or closely monitoring NFS traffic for suspicious filehandle requests, although the latter may be difficult to implement effectively.
