DEBIAN-CVE-2025-39688

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2025-39688

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-39688.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-39688

Upstream

CVE-2025-39688

Published

2025-04-18T07:15:43Z

Modified

2025-09-19T06:22:43Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: nfsd: allow SCSTATUSFREEABLE when searching via nfs4lookupstateid() The pynfs DELEG8 test fails when run against nfsd. It acquires a delegation and then lets the lease time out. It then tries to use the deleg stateid and expects to see NFS4ERRDELEGREVOKED, but it gets bad NFS4ERRBADSTATEID instead. When a delegation is revoked, it's initially marked with SCSTATUSREVOKED, or SCSTATUSADMINREVOKED and later, it's marked with the SCSTATUSFREEABLE flag, which denotes that it is waiting for s FREESTATEID call. nfs4lookupstateid() accepts a statusmask that includes the status flags that a found stateid is allowed to have. Currently, that mask never includes SCSTATUSFREEABLE, which means that revoked delegations are (almost) never found. Add SCSTATUSFREEABLE to the always-allowed status flags, and remove it from nfsd4_delegreturn() since it's now always implied.

References

https://security-tracker.debian.org/tracker/CVE-2025-39688

Affected packages

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}