CVE-2025-40210

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s Network File System daemon (NFSD) related to the handling of NFSv4 COMPOUND operations. Specifically, a previous change removed a limit on the number of operations permitted within a single NFSv4 COMPOUND request. This removal allowed an attacker to specify an arbitrarily large operation count in the COMPOUND header, potentially leading to a vmalloc error and exhaustion of system memory when NFSD attempts to allocate memory for the COMPOUND operation array. The issue was triggered when using pynfs COMP6, causing the connection or lease to enter an unstable state, resulting in indefinite hangs during CLOSE9 operations. The vulnerability was addressed by restoring a limit on the number of operations per COMPOUND, setting it to 200.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.