VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 21, 2025· Updated Apr 15, 2026

CVE-2025-40210

CVE-2025-40210

Description

In the Linux kernel, the following vulnerability has been resolved:

Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"

I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND").

Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in:

[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0

when NFSD attempts to allocate the COMPOUND op array.

Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-40210 is a denial-of-service vulnerability in Linux kernel NFSD caused by removing the cap on operations per NFSv4 COMPOUND, allowing attackers to trigger massive vmalloc allocation.

Vulnerability

Details

In the Linux kernel NFSD subsystem, a previous commit (48aab1606fa8) removed the upper bound on the number of operations allowed in an NFSv4 COMPOUND request. This change enabled an attacker to place an arbitrarily large operation count in the COMPOUND header. When NFSD attempts to decode such a request, it tries to allocate a correspondingly massive array via vmalloc, leading to an error message like "vmalloc error: size 1209533382144, exceeds total pages" [1]. This results in a system crash or hang, effectively a denial of service.

Exploitation

The vulnerability can be exploited remotely without authentication. An attacker only needs network access to the NFS server to send a crafted NFSv4 COMPOUND containing a high op count. No other privileges are required. The lack of a limit allows the allocation size to reach terabytes, exhausting system memory and causing a kernel panic.

Impact

A successful exploit renders the NFS server unavailable and can destabilize the entire host system due to memory exhaustion or kernel panic. This is a classic denial-of-service scenario, disrupting any NFS-dependent services.

Mitigation

The fix reverts the original commit and reimposes a cap of 200 operations per COMPOUND. Patches are available in the stable kernel trees as commits b3ee7ce43228 [1] and 3e7f011c2555 [2]. Administrators should apply the latest kernel updates or backport these commits. No workaround other than patching is known; the vulnerability is not listed on KEV.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
b3ee7ce43228
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3e7f011c2555
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.