CVE-2025-22024: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix management of listener transports Currently, when no active threads are running, a root user using nfsdctl command can try to remove a particular listener from the list of previously added ones, then start the server by increasing the number of threads, it leads to the following problem: [ 158.835354] refcount_t: addition on 0; use-after-free. [ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0 [ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse [ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7 [ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN [ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0 [ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0 [ 158.842000] sp : ffff800089be7d80 [ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148 [ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010 [ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028 [ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000 [ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493 [ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000 [ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001 [ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc [ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000 [ 158.845528] Call trace: [ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P) [ 158.845894] svc_recv+0x58c/0x680 [sunrpc] [ 158.846183] nfsd+0x1fc/0x348 [nfsd] [ 158.846390] kthread+0x274/0x2f8 [ 158.846546] ret_from_fork+0x10/0x20 [ 158.846714] ---[ end trace 0000000000000000 ]--- nfsd_nl_listener_set_doit() would manipulate the list of transports of server's sv_permsocks and close the specified listener but the other list of transports (server's sp_xprts list) would not be changed leading to the problem above. Instead, determined if the nfsdctl is trying to remove a listener, in which case, delete all the existing listener transports and re-create all-but-the-removed ones.
AI Analysis
Technical Summary
CVE-2025-22024 is a vulnerability identified in the Linux kernel's NFS daemon (nfsd) subsystem, specifically related to the management of listener transports. The flaw arises when a root user executes the nfsdctl command to remove a particular listener from the list of previously added listeners while no active threads are running. The vulnerability is due to improper synchronization between two internal lists managing transport listeners: sv_permsocks and sp_xprts. When a listener is removed from sv_permsocks but not correspondingly from sp_xprts, a use-after-free condition occurs. This is evidenced by kernel warnings and trace logs indicating refcount_t addition on zero, which is a classic sign of reference counting errors leading to memory corruption. The root cause is that nfsd_nl_listener_set_doit() manipulates the sv_permsocks list to close the specified listener but neglects to update the sp_xprts list, causing stale pointers and potential memory corruption. The patch approach involves detecting when a listener removal is requested and then deleting all existing listener transports before re-creating all except the removed one, ensuring both lists remain consistent. This vulnerability affects Linux kernel versions containing the specified commit hashes and was publicly disclosed in April 2025. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected nfsd versions, especially those utilizing NFS services for file sharing and network storage. Exploitation requires root privileges, which limits the attack vector but does not eliminate risk, as compromised or insider root access could trigger this flaw. The use-after-free condition can lead to kernel crashes (denial of service), potential escalation of privileges, or arbitrary code execution within the kernel context if exploited with sophisticated techniques. This could disrupt critical infrastructure, enterprise file servers, and cloud services relying on Linux-based NFS servers. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could impact availability and integrity of shared data. Additionally, the complexity of the flaw may allow attackers to evade detection, increasing the risk of persistent compromise. Organizations with high reliance on NFS for distributed storage or virtualization platforms (e.g., VMware environments running Linux guests) are particularly at risk.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address this vulnerability is critical. Since the fix involves changes to the nfsd listener management code, upgrading to the latest stable kernel version containing the patch is recommended. 2. Restrict root access and enforce strict privilege management to prevent unauthorized execution of nfsdctl commands. 3. Implement kernel-level security modules (such as SELinux or AppArmor) with policies restricting modifications to NFS daemon configurations. 4. Monitor kernel logs for refcount warnings or unusual nfsdctl activity that may indicate exploitation attempts. 5. For environments where immediate patching is not feasible, consider disabling or restricting NFS services temporarily, especially on exposed or critical systems. 6. Conduct regular audits of NFS server configurations and listener states to detect inconsistencies. 7. Employ intrusion detection systems capable of monitoring kernel anomalies and unusual root-level command executions related to nfsd. 8. Ensure backups and disaster recovery plans are up to date to mitigate potential denial-of-service impacts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22024: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix management of listener transports Currently, when no active threads are running, a root user using nfsdctl command can try to remove a particular listener from the list of previously added ones, then start the server by increasing the number of threads, it leads to the following problem: [ 158.835354] refcount_t: addition on 0; use-after-free. [ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0 [ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse [ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7 [ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN [ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0 [ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0 [ 158.842000] sp : ffff800089be7d80 [ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148 [ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010 [ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028 [ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000 [ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493 [ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000 [ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001 [ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc [ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000 [ 158.845528] Call trace: [ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P) [ 158.845894] svc_recv+0x58c/0x680 [sunrpc] [ 158.846183] nfsd+0x1fc/0x348 [nfsd] [ 158.846390] kthread+0x274/0x2f8 [ 158.846546] ret_from_fork+0x10/0x20 [ 158.846714] ---[ end trace 0000000000000000 ]--- nfsd_nl_listener_set_doit() would manipulate the list of transports of server's sv_permsocks and close the specified listener but the other list of transports (server's sp_xprts list) would not be changed leading to the problem above. Instead, determined if the nfsdctl is trying to remove a listener, in which case, delete all the existing listener transports and re-create all-but-the-removed ones.
AI-Powered Analysis
Technical Analysis
CVE-2025-22024 is a vulnerability identified in the Linux kernel's NFS daemon (nfsd) subsystem, specifically related to the management of listener transports. The flaw arises when a root user executes the nfsdctl command to remove a particular listener from the list of previously added listeners while no active threads are running. The vulnerability is due to improper synchronization between two internal lists managing transport listeners: sv_permsocks and sp_xprts. When a listener is removed from sv_permsocks but not correspondingly from sp_xprts, a use-after-free condition occurs. This is evidenced by kernel warnings and trace logs indicating refcount_t addition on zero, which is a classic sign of reference counting errors leading to memory corruption. The root cause is that nfsd_nl_listener_set_doit() manipulates the sv_permsocks list to close the specified listener but neglects to update the sp_xprts list, causing stale pointers and potential memory corruption. The patch approach involves detecting when a listener removal is requested and then deleting all existing listener transports before re-creating all except the removed one, ensuring both lists remain consistent. This vulnerability affects Linux kernel versions containing the specified commit hashes and was publicly disclosed in April 2025. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected nfsd versions, especially those utilizing NFS services for file sharing and network storage. Exploitation requires root privileges, which limits the attack vector but does not eliminate risk, as compromised or insider root access could trigger this flaw. The use-after-free condition can lead to kernel crashes (denial of service), potential escalation of privileges, or arbitrary code execution within the kernel context if exploited with sophisticated techniques. This could disrupt critical infrastructure, enterprise file servers, and cloud services relying on Linux-based NFS servers. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could impact availability and integrity of shared data. Additionally, the complexity of the flaw may allow attackers to evade detection, increasing the risk of persistent compromise. Organizations with high reliance on NFS for distributed storage or virtualization platforms (e.g., VMware environments running Linux guests) are particularly at risk.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address this vulnerability is critical. Since the fix involves changes to the nfsd listener management code, upgrading to the latest stable kernel version containing the patch is recommended. 2. Restrict root access and enforce strict privilege management to prevent unauthorized execution of nfsdctl commands. 3. Implement kernel-level security modules (such as SELinux or AppArmor) with policies restricting modifications to NFS daemon configurations. 4. Monitor kernel logs for refcount warnings or unusual nfsdctl activity that may indicate exploitation attempts. 5. For environments where immediate patching is not feasible, consider disabling or restricting NFS services temporarily, especially on exposed or critical systems. 6. Conduct regular audits of NFS server configurations and listener states to detect inconsistencies. 7. Employ intrusion detection systems capable of monitoring kernel anomalies and unusual root-level command executions related to nfsd. 8. Ensure backups and disaster recovery plans are up to date to mitigate potential denial-of-service impacts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.807Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7eac
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 7:55:51 PM
Last updated: 7/26/2025, 6:30:31 PM
Views: 10
Related Threats
CVE-2025-54864: CWE-306: Missing Authentication for Critical Function in NixOS hydra
MediumCVE-2025-54800: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NixOS hydra
HighCVE-2025-8452: CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory in Brother Industries, Ltd HL-L8260CDN
MediumCVE-2025-5468: CWE-61: UNIX Symbolic Link in Ivanti Connect Secure
MediumCVE-2025-5466: CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Ivanti Connect Secure
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.