CVE-2025-68243

Vulnerability

The NFS client in the Linux kernel contains a flaw in the nfs_match_client() function. When the TLS security policy is of type RPC_XPRTSEC_TLS_X509, the function compares certain fields but omits checking cert_serial and privkey_serial. These fields define the client's identity as presented to the server, and their omission means the client lookup may incorrectly match an existing client entry despite differing certificate details.

Exploitation

An attacker can exploit this by presenting a different X.509 certificate to the NFS server during TLS handshake. Because the missing fields are not compared, the client lookup may return an existing client entry with different certificate serial numbers. The attack requires the client and server to be configured to use TLS with X.509 authentication (security flavor RPC_XPRTSEC_TLS_X509). No additional authentication is needed beyond establishing a TLS connection with a valid certificate.

Impact

A successful exploit could allow an attacker to impersonate another client or hijack an existing session, potentially gaining unauthorized access to NFS exports. This undermines the identity-binding guarantees provided by TLS client certificates.

Mitigation

The vulnerability has been fixed in the Linux kernel. The patch is included in upstream stable releases. Users should update their kernel to include the commit referenced in [1].