Acknowledged
Created: Aug 19, 2025
Updated: Jan 11, 2026
Resolved Date: Sep 10, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]sunrpc: fix handling of server side tls alerts[EOL][EOL]Scott Mayhew discovered a security exploit in NFS over TLS in[EOL]tls_alert_recv() due to its assumption it can read data from[EOL]the msg iterator's kvec..[EOL][EOL]kTLS implementation splits TLS non-data record payload between[EOL]the control message buffer (which includes the type such as TLS[EOL]aler or TLS cipher change) and the rest of the payload (say TLS[EOL]alert's level/description) which goes into the msg payload buffer.[EOL][EOL]This patch proposes to rework how control messages are setup and[EOL]used by sock_recvmsg().[EOL][EOL]If no control message structure is setup, kTLS layer will read and[EOL]process TLS data record types. As soon as it encounters a TLS control[EOL]message, it would return an error. At that point, NFS can setup a[EOL]kvec backed msg buffer and read in the control message such as a[EOL]TLS alert. Msg iterator can advance the kvec pointer as a part of[EOL]the copy process thus we need to revert the iterator before calling[EOL]into the tls_alert_recv.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38566 (https://nvd.nist.gov/vuln/detail/CVE-2025-38566)
