CVE-2025-38724 — Use After Free in Linux
CWE-416 — Use After FreeCWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition30 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 94.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 4
Latest updateMar 25
Description
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then tre…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages3 packages
▶CVEListV5linux/linuxd20c11d86d8f821a64eac7d6c8f296f06d935f4f — 3f252a73e81aa01660cb426735eab932e6182e8d+9
Also affects: Debian Linux 11.0
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-x8r2-g34h-2v3j: In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu r↗2025-09-05
OSV▶
CVE-2025-38724: In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu rec↗2025-09-04