CVE-2025-40326

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Define actions for the new time_deleg FATTR4 attributes<br /> <br /> NFSv4 clients won&amp;#39;t send legitimate GETATTR requests for these new<br /> attributes because they are intended to be used only with CB_GETATTR<br /> and SETATTR. But NFSD has to do something besides crashing if it<br /> ever sees a GETATTR request that queries these attributes.<br /> <br /> RFC 8881 Section 18.7.3 states:<br /> <br /> &gt; The server MUST return a value for each attribute that the client<br /> &gt; requests if the attribute is supported by the server for the<br /> &gt; target file system. If the server does not support a particular<br /> &gt; attribute on the target file system, then it MUST NOT return the<br /> &gt; attribute value and MUST NOT set the attribute bit in the result<br /> &gt; bitmap. The server MUST return an error if it supports an<br /> &gt; attribute on the target but cannot obtain its value. In that case,<br /> &gt; no attribute values will be returned.<br /> <br /> Further, RFC 9754 Section 5 states:<br /> <br /> &gt; These new attributes are invalid to be used with GETATTR, VERIFY,<br /> &gt; and NVERIFY, and they can only be used with CB_GETATTR and SETATTR<br /> &gt; by a client holding an appropriate delegation.<br /> <br /> Thus there does not appear to be a specific server response mandated<br /> by specification. Taking the guidance that querying these attributes<br /> via GETATTR is "invalid", NFSD will return nfserr_inval, failing the<br /> request entirely.