CVE-2025-38571

sunrpc: fix client side handling of tls alerts

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv
due to its assumption that there is valid data in the msghdr's
iterator's kvec. Instead, this patch proposes the rework how control messages are
setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a kvec
backed control buffer and read in the control message such as a TLS
alert. Scott found that a msg iterator can advance the kvec pointer
as a part of the copy process thus we need to revert the iterator
before calling into the tls_alert_recv.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: arregla el manejo del lado del cliente de las alertas tls Se descubrió un exploit de seguridad en NFS sobre TLS en tls_alert_recv debido a su suposición de que hay datos válidos en el kvec del iterador de msghdr. En cambio, este parche propone volver a trabajar en cómo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leerá y procesará los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolverá un error. En ese punto, NFS puede configurar un búfer de control respaldado por kvec y leer el mensaje de control como una alerta TLS. Scott encontró que un iterador msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, necesitamos revertir el iterador antes de llamar a tls_alert_recv.

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed control buffer and read in the control message such as a TLS alert. Scott found that a msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.

It was discovered that improper initialization of CPU cache memory could allow a local attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity. Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-08-19 CVE Published
2025-09-29 CVE Updated
2026-03-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/dea034b963c8901bdcc3d3880c04f0d75c95112f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95	2025-08-15
https://git.kernel.org/stable/c/c36b2fbd60e8f9c6f975522130998608880c93be	2025-08-15
https://git.kernel.org/stable/c/3ee397eaaca4fa04db21bb98c8f1d0c6cc525368	2025-08-15
https://git.kernel.org/stable/c/3feada5baf4dc96e151ff2ca54630e1d274e5458	2025-08-15
https://git.kernel.org/stable/c/cc5d59081fa26506d02de2127ab822f40d88bc5a	2025-08-03

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-38571	2025-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2389480	2025-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.102 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.102"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.12.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.12.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.15.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.15.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.16.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.16.1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.17"		en		Affected