{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38566", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.025Z", "datePublished": "2025-08-19T17:02:42.506Z", "dateUpdated": "2025-08-19T17:02:42.506Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-19T17:02:42.506Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sunrpc/svcsock.c"], "versions": [{"version": "5e052dda121e2870dd87181783da4a95d7d2927b", "lessThan": "b1df394621710b312f0393e3f240fdac0764f968", "status": "affected", "versionType": "git"}, {"version": "5e052dda121e2870dd87181783da4a95d7d2927b", "lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692", "status": "affected", "versionType": "git"}, {"version": "5e052dda121e2870dd87181783da4a95d7d2927b", "lessThan": "3b549da875414989f480b66835d514be80a0bd9c", "status": "affected", "versionType": "git"}, {"version": "5e052dda121e2870dd87181783da4a95d7d2927b", "lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da", "status": "affected", "versionType": "git"}, {"version": "5e052dda121e2870dd87181783da4a95d7d2927b", "lessThan": "bee47cb026e762841f3faece47b51f985e215edb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sunrpc/svcsock.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.102", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.42", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.10", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.102"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.15.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.17-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"}, {"url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"}, {"url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"}, {"url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"}, {"url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"}], "title": "sunrpc: fix handling of server side tls alerts", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sunrpc: correcci\u00f3n del manejo de las alertas tls del lado del servidor Scott Mayhew descubri\u00f3 un exploit de seguridad en NFS sobre TLS en tls_alert_recv() debido a su suposici\u00f3n de que puede leer datos del kvec del iterador msg. La implementaci\u00f3n de kTLS divide el payload del registro no de datos de TLS entre el b\u00fafer de mensajes de control (que incluye el tipo como la alerta TLS o el cambio de cifrado TLS) y el resto del payload (por ejemplo, el nivel/descripci\u00f3n de la alerta TLS) que va al b\u00fafer de payload msg. Este parche propone volver a trabajar c\u00f3mo se configuran y utilizan los mensajes de control por sock_recvmsg(). Si no se configura ninguna estructura de mensaje de control, la capa kTLS leer\u00e1 y procesar\u00e1 los tipos de registros de datos TLS. Tan pronto como encuentre un mensaje de control TLS, devolver\u00e1 un error. En ese punto, NFS puede configurar un b\u00fafer de mensajes respaldado por kvec y leer el mensaje de control como una alerta TLS. El iterador Msg puede avanzar el puntero kvec como parte del proceso de copia, por lo tanto, debemos revertir el iterador antes de llamar a tls_alert_recv."}], "id": "CVE-2025-38566", "lastModified": "2025-08-20T14:40:17.713", "metrics": {}, "published": "2025-08-19T17:15:33.230", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: sunrpc: fix handling of server side tls alerts", "id": "2389487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389487"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38566", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38566\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38566\nhttps://lore.kernel.org/linux-cve-announce/2025081908-CVE-2025-38566-edef@gregkh/T"], "threat_severity": "Moderate"}