{"id":"CVE-2025-40326","summary":"NFSD: Define actions for the new time_deleg FATTR4 attributes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define actions for the new time_deleg FATTR4 attributes\n\nNFSv4 clients won't send legitimate GETATTR requests for these new\nattributes because they are intended to be used only with CB_GETATTR\nand SETATTR. But NFSD has to do something besides crashing if it\never sees a GETATTR request that queries these attributes.\n\nRFC 8881 Section 18.7.3 states:\n\n\u003e The server MUST return a value for each attribute that the client\n\u003e requests if the attribute is supported by the server for the\n\u003e target file system. If the server does not support a particular\n\u003e attribute on the target file system, then it MUST NOT return the\n\u003e attribute value and MUST NOT set the attribute bit in the result\n\u003e bitmap. The server MUST return an error if it supports an\n\u003e attribute on the target but cannot obtain its value. In that case,\n\u003e no attribute values will be returned.\n\nFurther, RFC 9754 Section 5 states:\n\n\u003e These new attributes are invalid to be used with GETATTR, VERIFY,\n\u003e and NVERIFY, and they can only be used with CB_GETATTR and SETATTR\n\u003e by a client holding an appropriate delegation.\n\nThus there does not appear to be a specific server response mandated\nby specification. Taking the guidance that querying these attributes\nvia GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the\nrequest entirely.","modified":"2026-03-20T12:43:16.229293Z","published":"2025-12-08T00:46:53.212Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40326.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4f76435fd517981f01608678c06ad9718a86ee98"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d8f3f94dc950e7c62c96af432c26745885b0a18a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40326.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40326"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"51c0d4f7e317d3cb4a3001e502bd8ca2d57f2a4b"},{"fixed":"d8f3f94dc950e7c62c96af432c26745885b0a18a"},{"fixed":"4f76435fd517981f01608678c06ad9718a86ee98"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40326.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40326.json"}}],"schema_version":"1.7.5"}