CVE-2025-38571 (GCVE-0-2025-38571)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-05-11 21:30
VLAI
Title
sunrpc: fix client side handling of tls alerts
Summary
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed control buffer and read in the control message such as a TLS alert. Scott found that a msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: dea034b963c8901bdcc3d3880c04f0d75c95112f , < a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95 (git)
Affected: dea034b963c8901bdcc3d3880c04f0d75c95112f , < c36b2fbd60e8f9c6f975522130998608880c93be (git)
Affected: dea034b963c8901bdcc3d3880c04f0d75c95112f , < 3ee397eaaca4fa04db21bb98c8f1d0c6cc525368 (git)
Affected: dea034b963c8901bdcc3d3880c04f0d75c95112f , < 3feada5baf4dc96e151ff2ca54630e1d274e5458 (git)
Affected: dea034b963c8901bdcc3d3880c04f0d75c95112f , < cc5d59081fa26506d02de2127ab822f40d88bc5a (git)
Create a notification for this product.
Linux Linux Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/xprtsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95",
              "status": "affected",
              "version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
              "versionType": "git"
            },
            {
              "lessThan": "c36b2fbd60e8f9c6f975522130998608880c93be",
              "status": "affected",
              "version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
              "versionType": "git"
            },
            {
              "lessThan": "3ee397eaaca4fa04db21bb98c8f1d0c6cc525368",
              "status": "affected",
              "version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
              "versionType": "git"
            },
            {
              "lessThan": "3feada5baf4dc96e151ff2ca54630e1d274e5458",
              "status": "affected",
              "version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
              "versionType": "git"
            },
            {
              "lessThan": "cc5d59081fa26506d02de2127ab822f40d88bc5a",
              "status": "affected",
              "version": "dea034b963c8901bdcc3d3880c04f0d75c95112f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/xprtsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix client side handling of tls alerts\n\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr\u0027s\niterator\u0027s kvec.\n\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:30:40.124Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95"
        },
        {
          "url": "https://git.kernel.org/stable/c/c36b2fbd60e8f9c6f975522130998608880c93be"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ee397eaaca4fa04db21bb98c8f1d0c6cc525368"
        },
        {
          "url": "https://git.kernel.org/stable/c/3feada5baf4dc96e151ff2ca54630e1d274e5458"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc5d59081fa26506d02de2127ab822f40d88bc5a"
        }
      ],
      "title": "sunrpc: fix client side handling of tls alerts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38571",
    "datePublished": "2025-08-19T17:02:51.620Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2026-05-11T21:30:40.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38571",
      "date": "2026-06-06",
      "epss": "0.00023",
      "percentile": "0.06887"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38571\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:33.960\",\"lastModified\":\"2025-11-26T20:03:06.243\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsunrpc: fix client side handling of tls alerts\\n\\nA security exploit was discovered in NFS over TLS in tls_alert_recv\\ndue to its assumption that there is valid data in the msghdr\u0027s\\niterator\u0027s kvec.\\n\\nInstead, this patch proposes the rework how control messages are\\nsetup and used by sock_recvmsg().\\n\\nIf no control message structure is setup, kTLS layer will read and\\nprocess TLS data record types. As soon as it encounters a TLS control\\nmessage, it would return an error. At that point, NFS can setup a kvec\\nbacked control buffer and read in the control message such as a TLS\\nalert. Scott found that a msg iterator can advance the kvec pointer\\nas a part of the copy process thus we need to revert the iterator\\nbefore calling into the tls_alert_recv.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: arregla el manejo del lado del cliente de las alertas tls Se descubri\u00f3 un exploit de seguridad en NFS sobre TLS en tls_alert_recv debido a su suposici\u00f3n de que hay datos v\u00e1lidos en el kvec del iterador de msghdr. En cambio, este parche propone volver a trabajar en c\u00f3mo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leer\u00e1 y procesar\u00e1 los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolver\u00e1 un error. En ese punto, NFS puede configurar un b\u00fafer de control respaldado por kvec y leer el mensaje de control como una alerta TLS. Scott encontr\u00f3 que un iterador msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, necesitamos revertir el iterador antes de llamar a tls_alert_recv.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5\",\"versionEndExcluding\":\"6.6.102\",\"matchCriteriaId\":\"CDBF16D8-C01C-4F6B-ABE0-F7DED4C98BCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.42\",\"matchCriteriaId\":\"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.10\",\"matchCriteriaId\":\"5890C690-B295-40C2-9121-FF5F987E5142\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.16.1\",\"matchCriteriaId\":\"58182352-D7DF-4CC9-841E-03C1D852C3FB\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3ee397eaaca4fa04db21bb98c8f1d0c6cc525368\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3feada5baf4dc96e151ff2ca54630e1d274e5458\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c36b2fbd60e8f9c6f975522130998608880c93be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cc5d59081fa26506d02de2127ab822f40d88bc5a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.