{"uuid": "d29b5cf6-6ffe-4cac-9c85-e2fda799d5c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21796", "type": "seen", "source": "https://t.me/cvedetector/18999", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21796 - Linux Kernel NFSd Use-After-Free Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-21796 \nPublished : Feb. 27, 2025, 3:15 a.m. | 1\u00a0hour, 54\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nnfsd: clear acl_access/acl_default after releasing them  \n  \nIf getting acl_default fails, acl_access and acl_default will be released  \nsimultaneously. However, acl_access will still retain a pointer pointing  \nto the released posix_acl, which will trigger a WARNING in  \nnfs3svc_release_getacl like this:  \n  \n------------[ cut here ]------------  \nrefcount_t: underflow; use-after-free.  \nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28  \nrefcount_warn_saturate+0xb5/0x170  \nModules linked in:  \nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted  \n6.12.0-rc6-00079-g04ae226af01f-dirty #8  \nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  \n1.16.1-2.fc37 04/01/2014  \nRIP: 0010:refcount_warn_saturate+0xb5/0x170  \nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75  \ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f0b eb  \ncd 0f b6 1d 8a3  \nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282  \nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde  \nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380  \nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56  \nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001  \nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0  \nFS:  0000000000000000(0000) GS:ffff88871ed00000(0000)  \nknlGS:0000000000000000  \nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  \nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0  \nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  \nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  \nCall Trace:  \n   \n ? refcount_warn_saturate+0xb5/0x170  \n ? __warn+0xa5/0x140  \n ? refcount_warn_saturate+0xb5/0x170  \n ? report_bug+0x1b1/0x1e0  \n ? handle_bug+0x53/0xa0  \n ? exc_invalid_op+0x17/0x40  \n ? asm_exc_invalid_op+0x1a/0x20  \n ? tick_nohz_tick_stopped+0x1e/0x40  \n ? refcount_warn_saturate+0xb5/0x170  \n ? refcount_warn_saturate+0xb5/0x170  \n nfs3svc_release_getacl+0xc9/0xe0  \n svc_process_common+0x5db/0xb60  \n ? __pfx_svc_process_common+0x10/0x10  \n ? __rcu_read_unlock+0x69/0xa0  \n ? __pfx_nfsd_dispatch+0x10/0x10  \n ? svc_xprt_received+0xa1/0x120  \n ? xdr_init_decode+0x11d/0x190  \n svc_process+0x2a7/0x330  \n svc_handle_xprt+0x69d/0x940  \n svc_recv+0x180/0x2d0  \n nfsd+0x168/0x200  \n ? __pfx_nfsd+0x10/0x10  \n kthread+0x1a2/0x1e0  \n ? kthread+0xf4/0x1e0  \n ? __pfx_kthread+0x10/0x10  \n ret_from_fork+0x34/0x60  \n ? __pfx_kthread+0x10/0x10  \n ret_from_fork_asm+0x1a/0x30  \n   \nKernel panic - not syncing: kernel: panic_on_warn set ...  \n  \nClear acl_access/acl_default after posix_acl_release is called to prevent  \nUAF from being triggered. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"27 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-27T06:11:20.000000Z"}