CVE-2025-38430
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
In the Linux kernel, the following vulnerability has been resolved:
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
If the request being processed is not a v4 compound request, then
examining the cstate can have undefined results.
This patch adds a check that the rpc procedure being executed
(rq_procinfo) is the NFSPROC4_COMPOUND procedure.
Affected products
Linux · LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/html/ssa-082556.htmlhttps://git.kernel.org/stable/c/1244f0b2c3cecd3f349a877006e67c9492b41807https://git.kernel.org/stable/c/2c54bd5a380ebf646fb9efbc4ae782ff3a83a5afhttps://git.kernel.org/stable/c/425efc6b3292a3c79bfee4a1661cf043dcd9cf2fhttps://git.kernel.org/stable/c/64a723b0281ecaa59d31aad73ef8e408a84cb603https://git.kernel.org/stable/c/7a75a956692aa64211a9e95781af1ec461642de4https://git.kernel.org/stable/c/b1d0323a09a29f81572c7391e0d80d78724729c9https://git.kernel.org/stable/c/bf78a2706ce975981eb5167f2d3b609eb5d24c19https://git.kernel.org/stable/c/e7e943ddd1c6731812357a28e7954ade3a7d8517https://lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlhttps://lists.debian.org/debian-lts-announce/2025/10/msg00008.html