CVE-2025-40129

Vulnerability

Overview

In the Linux kernel, the sunrpc module's xdr_stream_decode_opaque_auth() function fails to properly validate the length of a checksum field. When the checksum length is zero, the function sets the checksum data pointer to NULL pointer, leading to a null pointer dereference (NPD) when the data is later accessed in gss_krb5_verify_mic_v2(). This flaw can be triggered by a crafted RPC messages with a zero-length checksum, causing a kernel crash [1].

Attack

Vector

An attacker can exploit this vulnerability by sending a crafted RPC message with a zero-length checksum field to a system using the kernel's sunrpc module. The attack requires network access to the target, but no authentication is needed to trigger the null pointer dereference. The vulnerability is in the parsing of opaque authentication data, which is processed before any authentication checks [1].

Impact

Successful exploitation results in a denial of service (DoS) through a kernel crash. The null pointer dereference causes an immediate system panic or oops, making the system unavailable. There is no evidence of privilege escalation or remote code execution from this vulnerability [1].

Mitigation

The fix ensures that the checksum length is not less than XDR_UNIT (4 bytes), preventing the null pointer assignment. The patch has been applied to the Linux kernel stable tree. Users should update to a patched kernel version to mitigate the issue [1].