CVE-2025-38089 Overview
A null pointer dereference vulnerability has been identified in the Linux kernel's sunrpc subsystem that can lead to a remotely-triggerable kernel crash. The vulnerability exists in the SVC authentication processing code, where specially crafted RPC packets can cause the server to dereference an uninitialized rq_accept_statp pointer, resulting in a kernel crash or potential memory corruption.
Critical Impact
Remote attackers can crash Linux systems running NFS services by sending specially crafted RPC packets, causing denial of service conditions.
Affected Products
- Linux Kernel versions 6.4 through 6.4-rc7
- Linux Kernel versions up to 6.16-rc2
- Linux Kernel (multiple version ranges as per vendor advisories)
Discovery Timeline
- June 30, 2025 - CVE-2025-38089 published to NVD
- November 19, 2025 - Last updated in NVD database
Technical Details for CVE-2025-38089
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a type of memory corruption flaw that occurs when the kernel attempts to use a pointer that has not been properly initialized. The issue resides in the Linux kernel's sunrpc implementation, which provides the foundation for NFS (Network File System) services.
When the kernel RPC server receives a specially crafted packet that causes RPC reply decoding to fail, the code path may return SVC_GARBAGE without properly setting the rq_accept_statp pointer. Subsequent code then attempts to dereference this pointer and store a value at that memory location. If this is the first RPC processed by the thread, the pointer remains NULL, causing an immediate kernel panic. In other scenarios where the pointer contains stale data from previous operations, this could lead to memory corruption ("memory scribble") with unpredictable consequences.
Root Cause
The root cause lies in improper error handling within the sunrpc authentication processing code. The server incorrectly treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as a signal to send a GARBAGE_ARGS reply, which requires access to the rpc_accept_statp pointer. According to RFC 5531, authentication failures should instead result in RPC rejection with an AUTH_ERR status, which would not require accessing the problematic pointer.
The fix addresses this by handling SVC_GARBAGE returns as AUTH_ERROR with a reason of AUTH_BADCRED instead of attempting to return GARBAGE_ARGS. This approach follows the RFC specification and completely avoids the code path that dereferences the potentially uninitialized pointer.
Attack Vector
The attack vector is local, requiring access to send network packets to the vulnerable system. An attacker with network access to a Linux system running NFS or other sunrpc-based services can craft malicious RPC packets designed to trigger the vulnerable code path. The attack does not require authentication, making it accessible to any network-adjacent attacker who can reach the RPC service ports.
The vulnerability was reported by security researcher tianshuo han, and a proof-of-concept repository named "NFSundown" has been published on GitHub demonstrating the exploitation technique.
Detection Methods for CVE-2025-38089
Indicators of Compromise
- Unexpected kernel panics or system crashes on NFS servers
- Kernel oops messages referencing sunrpc or NULL pointer dereference in svc_authenticate code paths
- Unusual or malformed RPC traffic targeting NFS services (typically port 2049 and RPC portmapper)
- System logs showing repeated RPC authentication failures followed by crashes
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors related to sunrpc subsystem
- Implement network intrusion detection rules to identify malformed RPC packets
- Deploy endpoint detection tools to alert on unexpected kernel crashes involving NFS services
- Use SentinelOne's kernel-level monitoring to detect exploitation attempts targeting sunrpc
Monitoring Recommendations
- Enable detailed logging for NFS and sunrpc services
- Monitor system stability metrics for servers running NFS services
- Implement network traffic analysis for anomalous RPC protocol behavior
- Set up alerts for multiple authentication failures from single source IPs
How to Mitigate CVE-2025-38089
Immediate Actions Required
- Update affected Linux kernels to patched versions immediately
- Consider temporarily disabling NFS services on critical systems until patches are applied
- Implement network segmentation to limit exposure of NFS services
- Monitor for exploitation attempts using the detection strategies outlined above
Patch Information
The Linux kernel development team has released patches addressing this vulnerability across multiple stable kernel branches. The fix modifies the sunrpc authentication handling to treat SVC_GARBAGE returns as authentication errors rather than attempting to send garbage arguments responses.
Official patches are available from the following kernel git commits:
- Kernel Git Commit 353e75b
- Kernel Git Commit 599c489
- Kernel Git Commit 94d10a4
- Kernel Git Commit c90459c
Additional security discussion is available on the Openwall OSS Security mailing list.
Workarounds
- Restrict network access to NFS services using firewall rules to trusted IP ranges only
- Disable NFS services on systems where they are not required
- Implement iptables or nftables rules to rate-limit incoming RPC connections
- Consider using TCP wrappers to add additional access controls to RPC services
# Configuration example - Restrict NFS access with iptables
iptables -A INPUT -p tcp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -j DROP
iptables -A INPUT -p udp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
