CVE-2025-38566

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692	Patch
https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c	Patch
https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da	Patch
https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968	Patch
https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc1::::::

History

No history.

Information

Published : 2025-08-19 17:15

Updated : 2025-11-26 18:15

NVD link : CVE-2025-38566

Mitre link : CVE-2025-38566

CVE.ORG link : CVE-2025-38566

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2025-38566", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-19T17:15:33.230", "references": [{"url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: correcci\u00f3n del manejo de las alertas tls del lado del servidor Scott Mayhew descubri\u00f3 un exploit de seguridad en NFS sobre TLS en tls_alert_recv() debido a su suposici\u00f3n de que puede leer datos del kvec del iterador msg. La implementaci\u00f3n de kTLS divide el payload del registro no de datos de TLS entre el b\u00fafer de mensajes de control (que incluye el tipo como la alerta TLS o el cambio de cifrado TLS) y el resto del payload (por ejemplo, el nivel/descripci\u00f3n de la alerta TLS) que va al b\u00fafer de payload msg. Este parche propone volver a trabajar c\u00f3mo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leer\u00e1 y procesar\u00e1 los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolver\u00e1 un error. En ese punto, NFS puede configurar un b\u00fafer de mensajes respaldado por kvec y leer el mensaje de control como una alerta TLS. El iterador Msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, debemos revertir el iterador antes de llamar a tls_alert_recv."}], "lastModified": "2025-11-26T18:15:05.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BCA0ECA-F7A2-42B6-A438-0891D46073AD", "versionEndExcluding": "6.6.102", "versionStartIncluding": "6.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA7AA5E6-4376-4A85-A021-6ACC5FF801C3", "versionEndExcluding": "6.12.42", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142", "versionEndExcluding": "6.15.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB", "versionEndExcluding": "6.16.1", "versionStartIncluding": "6.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}