CVE-2025-38566

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-38566

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38566.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38566

Downstream

BELL-CVE-2025-38566

DEBIAN-CVE-2025-38566

OESA-2025-2776

OESA-2025-2802

OESA-2025-2803

RHSA-2025:16354

RHSA-2025:17958

RHSA-2025:18281

RHSA-2025:21112

RLSA-2025:16354

ROOT-OS-DEBIAN-13-CVE-2025-38566

ROOT-OS-UBUNTU-2404-CVE-2025-38566

SUSE-SU-2025:03272-1

SUSE-SU-2025:03290-1

SUSE-SU-2025:03301-1

SUSE-SU-2025:03382-1

SUSE-SU-2025:03602-1

SUSE-SU-2025:03633-1

SUSE-SU-2025:03634-1

SUSE-SU-2025:03636-1

SUSE-SU-2025:03638-1

SUSE-SU-2025:03643-1

SUSE-SU-2025:03646-1

SUSE-SU-2025:03650-1

SUSE-SU-2025:20653-1

SUSE-SU-2025:20669-1

SUSE-SU-2025:20739-1

SUSE-SU-2025:20756-1

SUSE-SU-2025:20873-1

SUSE-SU-2025:20874-1

SUSE-SU-2025:20875-1

SUSE-SU-2025:20876-1

SUSE-SU-2025:20877-1

SUSE-SU-2025:20878-1

SUSE-SU-2025:20879-1

SUSE-SU-2025:20880-1

SUSE-SU-2025:20881-1

SUSE-SU-2025:20882-1

SUSE-SU-2025:20883-1

SUSE-SU-2025:20884-1

SUSE-SU-2025:20885-1

SUSE-SU-2025:20886-1

SUSE-SU-2025:20887-1

SUSE-SU-2025:20888-1

SUSE-SU-2025:20889-1

SUSE-SU-2025:20890-1

SUSE-SU-2025:20891-1

SUSE-SU-2025:20902-1

SUSE-SU-2025:20903-1

SUSE-SU-2025:20904-1

SUSE-SU-2025:20905-1

SUSE-SU-2025:20906-1

SUSE-SU-2025:20907-1

SUSE-SU-2025:20908-1

SUSE-SU-2025:20909-1

SUSE-SU-2025:20912-1

SUSE-SU-2025:20913-1

SUSE-SU-2025:20914-1

SUSE-SU-2025:20915-1

SUSE-SU-2025:20916-1

SUSE-SU-2025:20917-1

SUSE-SU-2025:20918-1

SUSE-SU-2025:20919-1

SUSE-SU-2025:20920-1

SUSE-SU-2025:21074-1

SUSE-SU-2025:21139-1

SUSE-SU-2025:21179-1

SUSE-SU-2025:3742-1

SUSE-SU-2025:3748-1

SUSE-SU-2025:3755-1

SUSE-SU-2025:3762-1

SUSE-SU-2025:3764-1

SUSE-SU-2025:3765-1

SUSE-SU-2025:3768-1

SUSE-SU-2025:3770-1

SUSE-SU-2025:3771-1

SUSE-SU-2025:3772-1

openSUSE-SU-2025:20081-1

Related

Published

2025-08-19T17:02:42.506Z

Modified

2026-03-12T02:16:10.119705Z

Summary

sunrpc: fix handling of server side tls alerts

Details

In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix handling of server side tls alerts

Scott Mayhew discovered a security exploit in NFS over TLS in tlsalertrecv() due to its assumption it can read data from the msg iterator's kvec..

kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer.

This patch proposes to rework how control messages are setup and used by sock_recvmsg().

If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tlsalertrecv.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38566.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5e052dda121e2870dd87181783da4a95d7d2927b

Fixed

b1df394621710b312f0393e3f240fdac0764f968

Fixed

25bb3647d30a20486b5fe7cff2b0e503c16c9692

Fixed

3b549da875414989f480b66835d514be80a0bd9c

Fixed

6b33c31cc788073bfbed9297e1f4486ed73d87da

Fixed

bee47cb026e762841f3faece47b51f985e215edb

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38566.json"