Bug 2416307 (CVE-2025-40210) - CVE-2025-40210 kernel: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
Summary: CVE-2025-40210 kernel: Revert "NFSD: Remove the cap on number of operations p...
Keywords:
Status: NEW
Alias: CVE-2025-40210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-21 11:01 UTC by OSIDB Bzimport
Modified: 2025-11-24 20:16 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-21 11:01:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"

I've found that pynfs COMP6 now leaves the connection or lease in a
strange state, which causes CLOSE9 to hang indefinitely. I've dug
into it a little, but I haven't been able to root-cause it yet.
However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on
number of operations per NFSv4 COMPOUND").

Tianshuo Han also reports a potential vulnerability when decoding
an NFSv4 COMPOUND. An attacker can place an arbitrarily large op
count in the COMPOUND header, which results in:

[   51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total
pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),
nodemask=(null),cpuset=/,mems_allowed=0

when NFSD attempts to allocate the COMPOUND op array.

Let's restore the operation-per-COMPOUND limit, but increased to 200
for now.
Comment 1 Alexander B 2025-11-24 20:14:37 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025112140-CVE-2025-40210-2490@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.