CVE-2025-38430

high

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure.

References

https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517

https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19

https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9

https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4

https://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603

https://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2f

https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5af

https://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807

Details

Source: Mitre, NVD

Published: 2025-07-25

Updated: 2025-07-25

Risk Information

CVSS v2

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00024