CVE-2025-21796
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's NFS server (nfsd) where improper cleanup of ACL pointers after error conditions can lead to kernel memory corruption. It affects Linux systems running NFSv3 services with ACL support enabled. The vulnerability can cause kernel panics or potentially be exploited for privilege escalation.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, or potential privilege escalation to kernel mode if combined with other vulnerabilities.
Likely Case
Kernel panic and system crash when NFS clients access files with ACLs under specific error conditions.
If Mitigated
No impact if NFSv3 service is disabled or ACL support is not used.
🎯 Exploit Status
Exploitation requires triggering specific error conditions in ACL handling. The vulnerability is in kernel space, making exploitation more complex than user-space vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via git commits referenced in CVE
Vendor Advisory: https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for security updates. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable NFSv3 service
LinuxStop and disable the NFS server if not required
systemctl stop nfs-server
systemctl disable nfs-server
Disable ACL support in NFS
LinuxConfigure NFS to not use ACLs if NFS service must remain running
Add 'no_acl' option to NFS exports in /etc/exports
🧯 If You Can't Patch
- Disable NFSv3 service entirely if not required
- Implement network segmentation to isolate NFS servers from untrusted clients
🔍 How to Verify
Check if Vulnerable:
Check if NFS server is running and kernel version is unpatched: 'systemctl status nfs-server' and 'uname -r'Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update and ensure NFS service is either disabled or running with patched kernel📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- WARNING messages about refcount underflow or use-after-free
- NFS server crash logs
Network Indicators:
- Unexpected NFS service restarts
- Clients unable to access NFS shares
SIEM Query:
Search for 'refcount_t: underflow' OR 'use-after-free' OR 'kernel panic' in kernel logs🔗 References
- https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9
- https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3
- https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf
- https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd
- https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136
- https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa
- https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
