{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40326","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.186Z","datePublished":"2025-12-08T00:46:53.212Z","dateUpdated":"2026-05-11T21:47:12.108Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:47:12.108Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define actions for the new time_deleg FATTR4 attributes\n\nNFSv4 clients won't send legitimate GETATTR requests for these new\nattributes because they are intended to be used only with CB_GETATTR\nand SETATTR. But NFSD has to do something besides crashing if it\never sees a GETATTR request that queries these attributes.\n\nRFC 8881 Section 18.7.3 states:\n\n> The server MUST return a value for each attribute that the client\n> requests if the attribute is supported by the server for the\n> target file system. If the server does not support a particular\n> attribute on the target file system, then it MUST NOT return the\n> attribute value and MUST NOT set the attribute bit in the result\n> bitmap. The server MUST return an error if it supports an\n> attribute on the target but cannot obtain its value. In that case,\n> no attribute values will be returned.\n\nFurther, RFC 9754 Section 5 states:\n\n> These new attributes are invalid to be used with GETATTR, VERIFY,\n> and NVERIFY, and they can only be used with CB_GETATTR and SETATTR\n> by a client holding an appropriate delegation.\n\nThus there does not appear to be a specific server response mandated\nby specification. Taking the guidance that querying these attributes\nvia GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the\nrequest entirely."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4xdr.c"],"versions":[{"version":"51c0d4f7e317d3cb4a3001e502bd8ca2d57f2a4b","lessThan":"d8f3f94dc950e7c62c96af432c26745885b0a18a","status":"affected","versionType":"git"},{"version":"51c0d4f7e317d3cb4a3001e502bd8ca2d57f2a4b","lessThan":"4f76435fd517981f01608678c06ad9718a86ee98","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4xdr.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.17.8","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.17.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d8f3f94dc950e7c62c96af432c26745885b0a18a"},{"url":"https://git.kernel.org/stable/c/4f76435fd517981f01608678c06ad9718a86ee98"}],"title":"NFSD: Define actions for the new time_deleg FATTR4 attributes","x_generator":{"engine":"bippy-1.2.0"}}}}