{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-22025","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.807Z","datePublished":"2025-04-16T14:11:46.624Z","dateUpdated":"2026-05-11T21:11:12.215Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:11:12.215Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: put dl_stid if fail to queue dl_recall\n\nBefore calling nfsd4_run_cb to queue dl_recall to the callback_wq, we\nincrement the reference count of dl_stid.\nWe expect that after the corresponding work_struct is processed, the\nreference count of dl_stid will be decremented through the callback\nfunction nfsd4_cb_recall_release.\nHowever, if the call to nfsd4_run_cb fails, the incremented reference\ncount of dl_stid will not be decremented correspondingly, leading to the\nfollowing nfs4_stid leak:\nunreferenced object 0xffff88812067b578 (size 344):\n  comm \"nfsd\", pid 2761, jiffies 4295044002 (age 5541.241s)\n  hex dump (first 32 bytes):\n    01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff  ....kkkk........\n    00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  .kkkkkkk.....N..\n  backtrace:\n    kmem_cache_alloc+0x4b9/0x700\n    nfsd4_process_open1+0x34/0x300\n    nfsd4_open+0x2d1/0x9d0\n    nfsd4_proc_compound+0x7a2/0xe30\n    nfsd_dispatch+0x241/0x3e0\n    svc_process_common+0x5d3/0xcc0\n    svc_process+0x2a3/0x320\n    nfsd+0x180/0x2e0\n    kthread+0x199/0x1d0\n    ret_from_fork+0x30/0x50\n    ret_from_fork_asm+0x1b/0x30\nunreferenced object 0xffff8881499f4d28 (size 368):\n  comm \"nfsd\", pid 2761, jiffies 4295044005 (age 5541.239s)\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff  ........0M.I....\n    30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00  0M.I.... .......\n  backtrace:\n    kmem_cache_alloc+0x4b9/0x700\n    nfs4_alloc_stid+0x29/0x210\n    alloc_init_deleg+0x92/0x2e0\n    nfs4_set_delegation+0x284/0xc00\n    nfs4_open_delegation+0x216/0x3f0\n    nfsd4_process_open2+0x2b3/0xee0\n    nfsd4_open+0x770/0x9d0\n    nfsd4_proc_compound+0x7a2/0xe30\n    nfsd_dispatch+0x241/0x3e0\n    svc_process_common+0x5d3/0xcc0\n    svc_process+0x2a3/0x320\n    nfsd+0x180/0x2e0\n    kthread+0x199/0x1d0\n    ret_from_fork+0x30/0x50\n    ret_from_fork_asm+0x1b/0x30\nFix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if\nfail to queue dl_recall."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"b874cdef4e67e5150e07eff0eae1cbb21fb92da1","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"cdb796137c57e68ca34518d53be53b679351eb86","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"d96587cc93ec369031bcd7658c6adc719873c9fd","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"cad3479b63661a399c9df1d0b759e1806e2df3c8","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"63b91c8ff4589f5263873b24c052447a28e10ef7","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"133f5e2a37ce08c82d24e8fba65e0a81deae4609","status":"affected","versionType":"git"},{"version":"b5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf","lessThan":"230ca758453c63bd38e4d9f4a21db698f7abada8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"2.6.35","status":"affected"},{"version":"0","lessThan":"2.6.35","status":"unaffected","versionType":"semver"},{"version":"5.10.236","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.180","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.134","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.87","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.23","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.11","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.2","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.10.236"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.15.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.1.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.6.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.12.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.13.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.14.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1"},{"url":"https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86"},{"url":"https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd"},{"url":"https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1"},{"url":"https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8"},{"url":"https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7"},{"url":"https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609"},{"url":"https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8"}],"title":"nfsd: put dl_stid if fail to queue dl_recall","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:41:12.024Z"}}]}}