Proof-of-Concept exploit for NFSundown (CVE-2025-38089). It can remotely trigger a kernel crash in an NFS server.
A remote attacker can trigger a kernel null pointer dereference and crash the kernel by sending a specially crafted RPC request. This occurs due to improper handling of the rqstp->rq_accept_statp pointer in the SUNRPC code path, allowing it to remain NULL and be dereferenced in error handling branches. In some circumstances(when all the server thread has accepted a connection for at least once), this could also result in a use-after-free. The vulnerability is now assigned CVE-2025-38089.
- introduced in: 6.3, 29cd2927fb914cc53b5ba4f67d2b74695c994ba4
- fixed in: 6.16, 94d10a4dba0bc482f2b01e39f06d5513d0f75742
- start the vulnerable NFS server, make sure the network connection to the victim is working
- change the IPs and interface in
poc.pyas needed, then run the following command
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP # drop the RST packets from the victim server
python poc.pyI would like to thank @FFreestanding in helping reproducing the bug and developing the PoC.
This proof-of-concept (PoC) code is provided for educational and research purposes only.
Use this code responsibly and only on systems you own or have explicit permission to test.
The authors and contributors are not responsible for any misuse or damage caused by this code.