CVE-2025-68811

Vulnerability

Overview

In the Linux kernel's NFS/RDMA server (svcrdma), the function svc_rdma_copy_inline_range contained a bug where it used rc_curpage (the page index) instead of rc_pageoff (the byte offset within the page) when calculating the destination address for a memcpy operation. This caused the copy to land at the base of the wrong page rather than at the correct byte offset within the current page [1].

Exploitation

This vulnerability is triggered during inline copy operations in the RDMA-based NFS server. An attacker who can send crafted RDMA requests to a vulnerable kernel could potentially cause data to be written to unintendedly written to an incorrect memory location within the server's memory. The bug is in the kernel's handling of RDMA inline data, which is part of the NFS over RDMA (NFSoRDMA) implementation.

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to corrupt kernel memory or cause a denial of service. The exact impact depends on the memory layout and the specific data being copied. The vulnerability was discovered by ZeroPath [1].

Mitigation

The fix has been applied to the Linux kernel stable tree in commit 2a77c8dd49bc [1]. Users should update their kernels to include this patch. No workaround is mentioned in the available references.