Detections
Analytics

CVE-2022-50345

medium

Description

In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READ Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case.

References

https://git.kernel.org/stable/c/fa6be9cc6e80ec79892ddf08a8c10cabab9baf38

https://git.kernel.org/stable/c/c23687911f82a63fa2977ce9c992b395e90f8ba0

https://git.kernel.org/stable/c/bc6c0ed253cd4763dba7541d558e4b704f33176f

https://git.kernel.org/stable/c/75d9de25a6f833dd0701ca546ac926cabff2b5af

https://git.kernel.org/stable/c/309f29361b6bfae96936317376f1114568c5de19

Details

Source: Mitre, NVD

Published: 2025-09-16

Updated: 2025-09-17

Risk Information

CVSS v2

Base Score: 6.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00018