CVE-2025-21900

NFSv4: Fix a deadlock when recovering state on a sillyrenamed file

Description

In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a deadlock when recovering state on a sillyrenamed file If the file is sillyrenamed, and slated for delete on close, it is possible for a server reboot to triggeer an open reclaim, with can again race with the application call to close(). When that happens, the call to put_nfs_open_context() can trigger a synchronous delegreturn call which deadlocks because it is not marked as privileged. Instead, ensure that the call to nfs4_inode_return_delegation_on_close() catches the delegreturn, and schedules it asynchronously.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/4fe4ae6c2e01d028856b73b6328b12b8945df871 patch
https://git.kernel.org/stable/c/f41a60bc43e7abbc636fee78bed0d74c31e738b0 patch
https://git.kernel.org/stable/c/8f8df955f078e1a023ee55161935000a67651f38 patch

Frequently Asked Questions

What is the severity of CVE-2025-21900?
CVE-2025-21900 has been scored as a medium severity vulnerability.
How to fix CVE-2025-21900?
To fix CVE-2025-21900, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-21900 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21900 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21900?
CVE-2025-21900 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.