CVE-2025-38566 (GCVE-0-2025-38566)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-05-11 21:30
VLAI
Title
sunrpc: fix handling of server side tls alerts
Summary
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < b1df394621710b312f0393e3f240fdac0764f968 (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 25bb3647d30a20486b5fe7cff2b0e503c16c9692 (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 3b549da875414989f480b66835d514be80a0bd9c (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 6b33c31cc788073bfbed9297e1f4486ed73d87da (git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < bee47cb026e762841f3faece47b51f985e215edb (git)
Create a notification for this product.
Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            },
            {
              "lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
              "status": "affected",
              "version": "5e052dda121e2870dd87181783da4a95d7d2927b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/svcsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:30:34.423Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
        },
        {
          "url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
        },
        {
          "url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
        }
      ],
      "title": "sunrpc: fix handling of server side tls alerts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38566",
    "datePublished": "2025-08-19T17:02:42.506Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2026-05-11T21:30:34.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-38566",
      "date": "2026-06-30",
      "epss": "0.00528",
      "percentile": "0.4061"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38566\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:33.230\",\"lastModified\":\"2026-06-17T09:17:07.443\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsunrpc: fix handling of server side tls alerts\\n\\nScott Mayhew discovered a security exploit in NFS over TLS in\\ntls_alert_recv() due to its assumption it can read data from\\nthe msg iterator\u0027s kvec..\\n\\nkTLS implementation splits TLS non-data record payload between\\nthe control message buffer (which includes the type such as TLS\\naler or TLS cipher change) and the rest of the payload (say TLS\\nalert\u0027s level/description) which goes into the msg payload buffer.\\n\\nThis patch proposes to rework how control messages are setup and\\nused by sock_recvmsg().\\n\\nIf no control message structure is setup, kTLS layer will read and\\nprocess TLS data record types. As soon as it encounters a TLS control\\nmessage, it would return an error. At that point, NFS can setup a\\nkvec backed msg buffer and read in the control message such as a\\nTLS alert. Msg iterator can advance the kvec pointer as a part of\\nthe copy process thus we need to revert the iterator before calling\\ninto the tls_alert_recv.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: correcci\u00f3n del manejo de las alertas tls del lado del servidor Scott Mayhew descubri\u00f3 un exploit de seguridad en NFS sobre TLS en tls_alert_recv() debido a su suposici\u00f3n de que puede leer datos del kvec del iterador msg. La implementaci\u00f3n de kTLS divide el payload del registro no de datos de TLS entre el b\u00fafer de mensajes de control (que incluye el tipo como la alerta TLS o el cambio de cifrado TLS) y el resto del payload (por ejemplo, el nivel/descripci\u00f3n de la alerta TLS) que va al b\u00fafer de payload msg. Este parche propone volver a trabajar c\u00f3mo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leer\u00e1 y procesar\u00e1 los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolver\u00e1 un error. En ese punto, NFS puede configurar un b\u00fafer de mensajes respaldado por kvec y leer el mensaje de control como una alerta TLS. El iterador Msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, debemos revertir el iterador antes de llamar a tls_alert_recv.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/sunrpc/svcsock.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5e052dda121e2870dd87181783da4a95d7d2927b\",\"lessThan\":\"b1df394621710b312f0393e3f240fdac0764f968\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5e052dda121e2870dd87181783da4a95d7d2927b\",\"lessThan\":\"25bb3647d30a20486b5fe7cff2b0e503c16c9692\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5e052dda121e2870dd87181783da4a95d7d2927b\",\"lessThan\":\"3b549da875414989f480b66835d514be80a0bd9c\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5e052dda121e2870dd87181783da4a95d7d2927b\",\"lessThan\":\"6b33c31cc788073bfbed9297e1f4486ed73d87da\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5e052dda121e2870dd87181783da4a95d7d2927b\",\"lessThan\":\"bee47cb026e762841f3faece47b51f985e215edb\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/sunrpc/svcsock.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"6.4\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"6.4\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.102\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.42\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.15.10\",\"lessThanOrEqual\":\"6.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.16.1\",\"lessThanOrEqual\":\"6.16.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.17\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4\",\"versionEndExcluding\":\"6.6.102\",\"matchCriteriaId\":\"5BCA0ECA-F7A2-42B6-A438-0891D46073AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.42\",\"matchCriteriaId\":\"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.10\",\"matchCriteriaId\":\"5890C690-B295-40C2-9121-FF5F987E5142\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.16.1\",\"matchCriteriaId\":\"58182352-D7DF-4CC9-841E-03C1D852C3FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"327D22EF-390B-454C-BD31-2ED23C998A1C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.