CVE-2025-38724
Description
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF.
Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, nfsd4_setclientid_confirm() lacks a check on get_client_locked() return value, leading to a use-after-free from race with client expiration.
Vulnerability
CVE-2025-38724 is a use-after-free vulnerability in the Linux kernel's NFSv4 server (nfsd). The function nfsd4_setclientid_confirm() fails to check the return value of get_client_locked(). If a SETCLIENTID_CONFIRM request races with the expiration of a confirmed client, the function may operate on a freed client structure, leading to a use-after-free condition.
Exploitation
Exploitation requires the ability to send NFSv4 SETCLIENTID_CONFIRM commands to the target system. An attacker must be able to trigger the race condition between the confirmation and client expiration. This can be done locally or remotely if NFSv4 is accessible over the network. No special privileges are needed beyond network access to the NFS server.
Impact
A successful exploit could crash the system or potentially allow an attacker to escalate privileges, as the use-after-free may be leveraged for arbitrary code execution within the kernel.
Mitigation
The vulnerability is fixed in Linux kernel commits [3] and [4]. Users should apply the latest kernel updates from their distribution or compile a patched kernel. Siemens also lists affected products in advisories [1] and [2] that require firmware updates.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 3.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1nvdPatch
- git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3nvdPatch
- git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8dnvdPatch
- git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1nvdPatch
- git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306nvdPatch
- git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68nvdPatch
- git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8bnvdPatch
- git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772nvdPatch
- git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories