CVE-2025-39688: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()
In the Linux kernel, the following vulnerability has been resolved:
nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()
The pynfs DELEG8 test fails when run against nfsd. It acquires a
delegation and then lets the lease time out. It then tries to use the
deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets
bad NFS4ERR_BAD_STATEID instead.
When a delegation is revoked, it's initially marked with
SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked
with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for
s FREE_STATEID call.
nfs4_lookup_stateid() accepts a statusmask that includes the status
flags that a found stateid is allowed to have. Currently, that mask
never includes SC_STATUS_FREEABLE, which means that revoked delegations
are (almost) never found.
Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it
from nfsd4_delegreturn() since it's now always implied.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel NFS server issue in delegation state handling. A revoked NFSv4 delegation could be looked up incorrectly and produce the wrong protocol error. The sources do not provide CVSS, business impact, or evidence of exploitation, so urgency depends on whether you operate Linux nfsd services.
Executive priority
Track this as a kernel maintenance item for environments using Linux NFS servers. Escalate only if those systems support critical workloads, exposed clients, or regulated data, because severity and exploitability are not established in the sources.
Technical view
In nfsd, nfs4_lookup_stateid() did not allow SC_STATUS_FREEABLE in its accepted status mask. Revoked delegations waiting for FREE_STATEID were therefore usually not found, causing NFS4ERR_BAD_STATEID instead of the expected NFS4ERR_DELEG_REVOKED. Kernel stable commits add SC_STATUS_FREEABLE to the always-allowed status flags.
Likely exposure
Exposure appears limited to Linux systems running the kernel NFS server with NFSv4 delegation behavior. Systems not using nfsd, or not exporting NFS services, are unlikely to be affected based on the provided sources.
Exploitation context
The bundle cites a pynfs DELEG8 conformance failure, not public exploitation. KEV is false, and no cited source states active exploitation or provides an attack path.
Researcher notes
The available evidence describes protocol-state misclassification around revoked delegations. No CVSS, CWE, exploit status, or direct security impact is provided. Analysis should focus on nfsd delegation lifecycle, stateid lookup masks, and vendor backport mapping.
Mitigation direction
Identify Linux servers exporting NFS through kernel nfsd.
Check vendor kernel advisories for CVE-2025-39688 applicability and fixed builds.
Prioritize patching internet-adjacent or multi-tenant NFS servers first.
If patching is delayed, review vendor guidance for safe operational mitigations.
Validation and detection
Inventory kernel versions on NFS server hosts.
Confirm whether nfsd is enabled and exporting NFSv4 shares.
Compare installed kernels against vendor-fixed packages or kernel stable commits.
Run regression testing for NFSv4 delegation behavior after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-39688 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 18, 2025, 07:01 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.