CVE-2025-38231

nfsd: Initialize ssc before laundromat_work to prevent NULL dereference

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_work allows sufficient time for nfsd_ssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4_state_start_net -> nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the delayed work may start before nfsd_ssc initialization finishes. Fix this by moving nfsd_ssc initialization before starting laundromat_work.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/deaeb74ae9318252829c59a84a7d2316fc335660
https://git.kernel.org/stable/c/0fccf5f01ed28725cc313a66ca1247eef911d55e
https://git.kernel.org/stable/c/a97668ec6d73dab237cd1c15efe012a10090a4ed
https://git.kernel.org/stable/c/5060e1a5fef184bd11d298e3f0ee920d96a23236
https://git.kernel.org/stable/c/d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0
https://git.kernel.org/stable/c/83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64
https://git.kernel.org/stable/c/b31da62889e6d610114d81dc7a6edbcaa503fcf8

Frequently Asked Questions

What is the severity of CVE-2025-38231?
CVE-2025-38231 has not yet been assigned a CVSS score.
How to fix CVE-2025-38231?
To fix CVE-2025-38231, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38231 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38231 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38231?
CVE-2025-38231 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.