CVE-2025-22024
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's NFS server (nfsd) allows a root user to trigger a kernel panic or system crash by manipulating listener transports when no active threads are running. This affects Linux systems running NFS server with kernel versions containing the bug. The vulnerability requires root access to exploit.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash requiring reboot, causing temporary NFS service unavailability.
If Mitigated
No impact if proper access controls prevent unauthorized root access to nfsdctl commands.
🎯 Exploit Status
Requires root access and specific sequence of nfsdctl commands when no active threads are running.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 052a34f093fb940a145493d1438e7abbfe507cdd, 0f42df0ab2b11ea6b2884bdaf6dbc3be6dde7e82, a84c80515ca8a0cdf6d06f1b6ca721224b08453e, or d093c90892607be505e801469d6674459e69ab89
Vendor Advisory: https://git.kernel.org/stable/c/052a34f093fb940a145493d1438e7abbfe507cdd
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify kernel version with 'uname -r'.
🔧 Temporary Workarounds
Restrict nfsdctl access
linuxLimit root access to nfsdctl commands using sudo restrictions or access controls.
sudo visudo
Add: 'username ALL=(ALL) !/usr/sbin/nfsdctl'
Disable NFS server if unused
linuxStop and disable nfsd service if not required.
sudo systemctl stop nfs-server
sudo systemctl disable nfs-server
🧯 If You Can't Patch
- Restrict root access to nfsdctl commands using sudoers or RBAC
- Monitor for kernel panic logs and unauthorized nfsdctl usage
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if nfsd is running: 'uname -r' and 'systemctl status nfs-server'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test nfsdctl listener removal doesn't cause crashes📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs with refcount_warn_saturate messages
- nfsdctl command usage in audit logs
Network Indicators:
- Sudden NFS service interruption
SIEM Query:
source="kernel" AND "refcount_warn_saturate" OR "use-after-free"