CVE-2025-47711 is a medium-severity vulnerability identified in the nbdkit server, a network block device server commonly used in virtualization and storage environments. The flaw arises from an off-by-one error in how nbdkit handles responses from its plugins concerning the status of data blocks. Specifically, when a client issues a request for a very large data range, and the plugin responds with an even larger single data block, the nbdkit server fails to correctly process this response. This leads to a critical internal error within the server, causing it to crash or become unresponsive, resulting in a denial-of-service (DoS) condition. The vulnerability affects multiple versions of nbdkit, including 1.11.10, 1.40.0, and 1.42.0, and is present in Red Hat Enterprise Linux 10 distributions that include these versions. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but causing availability impact (A:L). No known exploits are currently in the wild, and no patches or mitigations have been explicitly linked yet. The vulnerability primarily impacts availability by causing the nbdkit server to crash under specific malformed plugin responses, which could disrupt storage services relying on nbdkit for block device access.

For European organizations, especially those operating virtualized environments or cloud infrastructure relying on Red Hat Enterprise Linux 10 with nbdkit, this vulnerability poses a risk of service disruption. The denial-of-service condition could interrupt access to critical storage volumes, affecting applications, databases, and virtual machines dependent on network block devices. This can lead to downtime, operational delays, and potential financial losses. While the vulnerability does not expose data confidentiality or integrity risks, the availability impact can be significant in environments requiring high uptime and reliability, such as financial institutions, healthcare providers, and critical infrastructure operators. Additionally, since exploitation requires low privileges but no user interaction, an attacker with limited access could trigger the DoS remotely, increasing the threat surface. The absence of known exploits reduces immediate risk, but the medium severity rating and the potential for disruption warrant proactive mitigation.

Organizations should prioritize updating nbdkit to versions where this vulnerability is fixed once patches are released by Red Hat or the nbdkit maintainers. In the interim, administrators should monitor nbdkit server logs for unusual plugin responses or crashes and consider restricting network access to the nbdkit service to trusted clients only, minimizing exposure to untrusted users. Implementing network segmentation and firewall rules to limit access to the nbdkit server can reduce the attack surface. Additionally, reviewing and validating plugin behavior to ensure they do not respond with data blocks larger than requested can help prevent triggering the flaw. Regular backups and high-availability configurations can mitigate the impact of potential service disruptions. Finally, staying informed through Red Hat security advisories and subscribing to vulnerability notifications will ensure timely application of fixes.