CVE-2025-71120: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71120 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's SUNRPC subsystem, specifically within the GSS-API authentication mechanism. The vulnerability exists in the gss_read_proxy_verf function where a zero-length gss_token results in an improper memory access condition. When processing authentication tokens, the code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy operation, which can dereference NULL even when the copy length is zero.

Critical Impact
This vulnerability can lead to a kernel crash (denial of service) when processing malformed GSS authentication tokens with zero-length data, potentially affecting NFS servers using Kerberos authentication.

Affected Products

Linux kernel (multiple stable branches)
Systems using NFS with Kerberos/GSS-API authentication
SUNRPC-enabled kernel configurations

Discovery Timeline

2026-01-14 - CVE CVE-2025-71120 published to NVD
2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71120

Vulnerability Analysis

The vulnerability resides in the SUNRPC service authentication layer, specifically in the GSS-API proxy verification routine. When the kernel processes a GSS authentication token, it allocates page structures to hold the token data. The problematic code path occurs when a zero-length token is received—this causes the pages counter to be set to zero, resulting in in_token->pages[0] being NULL.

The core issue is an unconditional call to page_address(in_token->pages[0]) that occurs regardless of whether there is actual data to copy. This design flaw means that even when the memcpy length would be zero (and thus harmless), the address calculation still attempts to dereference the NULL page pointer, triggering a kernel NULL pointer dereference.

This vulnerability type—NULL pointer dereference—is a classic memory safety issue that can cause immediate kernel panic, resulting in system unavailability. In the context of NFS servers, this could be triggered by remote clients sending specially crafted authentication requests.

Root Cause

The root cause is a missing bounds check before accessing the page array in the GSS token structure. The code assumes that if a token exists, it will have at least one valid page allocated. However, a zero-length token violates this assumption, creating a NULL pointer dereference condition when the code attempts to convert the first page to a kernel virtual address.

The fix adds a guard condition to ensure the first memcpy operation only executes when the length is greater than zero, preventing the NULL page dereference entirely.

Attack Vector

An attacker could potentially exploit this vulnerability by:

Establishing a connection to an NFS server configured with Kerberos authentication
Sending a crafted RPC request containing a zero-length GSS authentication token
Triggering the NULL pointer dereference in the kernel's authentication path

The attack requires network access to a vulnerable NFS service. While this vulnerability primarily leads to denial of service through kernel crash, the impact on availability can be significant for systems relying on NFS for critical operations.

The vulnerability mechanism involves the following code path: when processing proxy verification for GSS authentication, the function reads the token into a page-backed buffer. The zero-length edge case was not properly handled, causing the kernel to attempt page address resolution on a NULL pointer.

Detection Methods for CVE-2025-71120

Indicators of Compromise

Kernel crash logs showing NULL pointer dereference in svcauth_gss or gss_read_proxy_verf functions
System reboots coinciding with NFS authentication attempts
Kernel oops messages referencing the SUNRPC subsystem
Unexplained NFS server unavailability

Detection Strategies

Monitor kernel logs for NULL pointer dereference errors in the RPC authentication stack
Implement network traffic analysis for anomalous NFS/RPC authentication patterns with zero-length tokens
Deploy kernel runtime monitoring to detect crashes in the net/sunrpc/auth_gss/ code path
Use eBPF-based monitoring to trace gss_read_proxy_verf function calls and parameter validation

Monitoring Recommendations

Configure kernel crash dump analysis to capture and analyze any SUNRPC-related crashes
Enable detailed RPC debugging (rpcdebug -m rpc -s all) during investigation periods
Monitor system uptime and correlate crashes with NFS service activity
Implement centralized logging for all NFS servers to identify patterns across infrastructure

How to Mitigate CVE-2025-71120

Immediate Actions Required

Update to a patched Linux kernel version containing the security fix
Review NFS server exposure and restrict access to trusted networks where possible
Monitor affected systems for signs of exploitation or instability
Consider temporarily disabling GSS/Kerberos authentication if patches cannot be immediately applied

Patch Information

The vulnerability has been addressed through multiple kernel commits across stable branches. The fix guards the first memcpy operation to only execute when the token length is greater than zero, preventing the NULL pointer dereference.

Verified patch commits are available:

Workarounds

Restrict NFS server access to trusted network segments using firewall rules
If Kerberos authentication is not required, consider using alternative authentication mechanisms temporarily
Implement network-level rate limiting for RPC connections to reduce potential crash impact
Deploy high-availability configurations to minimize service disruption from potential crashes

bash

# Example: Restrict NFS access to trusted subnet
iptables -A INPUT -p tcp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -j DROP
iptables -A INPUT -p udp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j DROP