{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38571","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.025Z","datePublished":"2025-08-19T17:02:51.620Z","dateUpdated":"2026-05-11T21:30:40.124Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:30:40.124Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix client side handling of tls alerts\n\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr's\niterator's kvec.\n\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sunrpc/xprtsock.c"],"versions":[{"version":"dea034b963c8901bdcc3d3880c04f0d75c95112f","lessThan":"a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95","status":"affected","versionType":"git"},{"version":"dea034b963c8901bdcc3d3880c04f0d75c95112f","lessThan":"c36b2fbd60e8f9c6f975522130998608880c93be","status":"affected","versionType":"git"},{"version":"dea034b963c8901bdcc3d3880c04f0d75c95112f","lessThan":"3ee397eaaca4fa04db21bb98c8f1d0c6cc525368","status":"affected","versionType":"git"},{"version":"dea034b963c8901bdcc3d3880c04f0d75c95112f","lessThan":"3feada5baf4dc96e151ff2ca54630e1d274e5458","status":"affected","versionType":"git"},{"version":"dea034b963c8901bdcc3d3880c04f0d75c95112f","lessThan":"cc5d59081fa26506d02de2127ab822f40d88bc5a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sunrpc/xprtsock.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"6.6.102","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.102"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a55b3d15331859d9fdd261cfa6d34ca2aeb0fb95"},{"url":"https://git.kernel.org/stable/c/c36b2fbd60e8f9c6f975522130998608880c93be"},{"url":"https://git.kernel.org/stable/c/3ee397eaaca4fa04db21bb98c8f1d0c6cc525368"},{"url":"https://git.kernel.org/stable/c/3feada5baf4dc96e151ff2ca54630e1d274e5458"},{"url":"https://git.kernel.org/stable/c/cc5d59081fa26506d02de2127ab822f40d88bc5a"}],"title":"sunrpc: fix client side handling of tls alerts","x_generator":{"engine":"bippy-1.2.0"}}}}