PoC for CVE-2025-38089# Overview
Proof-of-Concept exploit for NFSundown (CVE-2025-38089). It can remotely trigger a kernel crash in an NFS server.
# Details
A remote attacker can trigger a kernel null pointer dereference and crash the kernel by sending a specially crafted RPC request. This occurs due to improper handling of the `rqstp->rq_accept_statp` pointer in the SUNRPC code path, allowing it to remain NULL and be dereferenced in error handling branches. In some circumstances(when all the server thread has accepted a connection for at least once), this could also result in a use-after-free. The vulnerability is now assigned CVE-2025-38089.
## Affected Version
- introduced in: 6.3, [29cd2927fb914cc53b5ba4f67d2b74695c994ba4](https://github.com/torvalds/linux/commit/29cd2927fb914cc53b5ba4f67d2b74695c994ba4)
- fixed in: 6.16, [94d10a4dba0bc482f2b01e39f06d5513d0f75742](https://github.com/torvalds/linux/commit/94d10a4dba0bc482f2b01e39f06d5513d0f75742)
## Usage
1. start the vulnerable NFS server, make sure the network connection to the victim is working
2. change the IPs and interface in `poc.py` as needed, then run the following command
```bash
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP # drop the RST packets from the victim server
python poc.py
```
# Acknowledgements
I would like to thank [@FFreestanding](https://github.com/FFreestanding) in helping reproducing the bug and developing the PoC.
# Disclaimer
This proof-of-concept (PoC) code is provided for educational and research purposes only.
Use this code responsibly and only on systems you own or have explicit permission to test.
The authors and contributors are not responsible for any misuse or damage caused by this code.
[4.0K] /data/pocs/fb4b00943b68323a1db055119449d9fa19d5588b
├── [1.0K] LICENSE
├── [3.3K] poc.py
└── [1.7K] README.md
0 directories, 3 files