LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39688: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()

In the Linux kernel, the following vulnerability has been resolved: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid() The pynfs DELEG8 test fails when run against nfsd. It acquires a delegation and then lets the lease time out. It then tries to use the deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets bad NFS4ERR_BAD_STATEID instead. When a delegation is revoked, it's initially marked with SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for s FREE_STATEID call. nfs4_lookup_stateid() accepts a statusmask that includes the status flags that a found stateid is allowed to have. Currently, that mask never includes SC_STATUS_FREEABLE, which means that revoked delegations are (almost) never found. Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it from nfsd4_delegreturn() since it's now always implied.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel NFS server issue in delegation state handling. A revoked NFSv4 delegation could be looked up incorrectly and produce the wrong protocol error. The sources do not provide CVSS, business impact, or evidence of exploitation, so urgency depends on whether you operate Linux nfsd services.

Executive priority

Track this as a kernel maintenance item for environments using Linux NFS servers. Escalate only if those systems support critical workloads, exposed clients, or regulated data, because severity and exploitability are not established in the sources.

Technical view

In nfsd, nfs4_lookup_stateid() did not allow SC_STATUS_FREEABLE in its accepted status mask. Revoked delegations waiting for FREE_STATEID were therefore usually not found, causing NFS4ERR_BAD_STATEID instead of the expected NFS4ERR_DELEG_REVOKED. Kernel stable commits add SC_STATUS_FREEABLE to the always-allowed status flags.

Likely exposure

Exposure appears limited to Linux systems running the kernel NFS server with NFSv4 delegation behavior. Systems not using nfsd, or not exporting NFS services, are unlikely to be affected based on the provided sources.

Exploitation context

The bundle cites a pynfs DELEG8 conformance failure, not public exploitation. KEV is false, and no cited source states active exploitation or provides an attack path.

Researcher notes

The available evidence describes protocol-state misclassification around revoked delegations. No CVSS, CWE, exploit status, or direct security impact is provided. Analysis should focus on nfsd delegation lifecycle, stateid lookup masks, and vendor backport mapping.

Mitigation direction

  • Identify Linux servers exporting NFS through kernel nfsd.
  • Check vendor kernel advisories for CVE-2025-39688 applicability and fixed builds.
  • Prioritize patching internet-adjacent or multi-tenant NFS servers first.
  • If patching is delayed, review vendor guidance for safe operational mitigations.

Validation and detection

  • Inventory kernel versions on NFS server hosts.
  • Confirm whether nfsd is enabled and exporting NFSv4 shares.
  • Compare installed kernels against vendor-fixed packages or kernel stable commits.
  • Run regression testing for NFSv4 delegation behavior after patching.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39688 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a, 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a, 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a, 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a, 967faa26f313a62e7bebc55d5b8122eaee43b929, 6.11.6unaffected
LinuxLinux6.12, 0, 6.12.23, 6.13.11, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.