CVE-2025-40324

Vulnerability

CVE-2025-40324 describes a NULL pointer dereference or similar crash in the Linux kernel's NFS server (NFSD). The bug manifests in the nfsd4_read_release() function when the trace_nfsd_read_done trace point is active. The crash is triggered by a READ operation that does not include a valid file handle, as exercised by the pynfs read.testNoFh test.

Exploitation

An attacker must be able to send NFSv4 READ requests to a vulnerable server. The attack requires that kernel tracing (e.g., via ftrace or tracepoints) is enabled on the server, which is not a default configuration. The attacker does not need authentication if the NFS export allows anonymous access; the testNoFh test sends a READ with no file handle, which the server attempts to process.

Impact

Successful exploitation causes a kernel panic or oops, leading to a denial of service (DoS) of the NFS server and potentially the entire host. There is no indication of privilege escalation or data corruption.

Mitigation

The vulnerability is fixed in the Linux kernel stable tree. Patches are available in commits [1], [2], and [3] for various stable kernel versions. Administrators should apply the latest stable kernel updates or disable NFS tracing if an immediate patch cannot be deployed.