CVE-2025-37871 — linux / linux_kernel
In the Linux kernel, the following vulnerability has been resolved:
nfsd: decrease sc_count directly if fail to queue dl_recall
A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means:
- sc_count in nfsd_break_one_deleg will not be decremented to 0;
- The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock;
- Consequently, no deadlock condition is created.
Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 6.12.23 | 6.12.25 |
| linux / linux_kernel | 6.13.11 | 6.14 |
| linux / linux_kernel | 6.14.2 | 6.14.4 |
| linux / linux_kernel | 5.10.236 | 5.10.236.x |
| linux / linux_kernel | 5.15.180 | 5.15.180.x |
| linux / linux_kernel | 6.1.134 | 6.1.134.x |
| linux / linux_kernel | 6.6.87 | 6.6.87.x |
| linux / linux_kernel | 6.15-rc1 | 6.15-rc1.x |
| linux / linux_kernel | 6.15-rc2 | 6.15-rc2.x |
| debian / debian_linux | 11.0 | 11.0.x |
- https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
- https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
- https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9
- https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
- https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
- https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
- https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.