CVE-2025-21795: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21795 affects the Linux kernel's NFSD (Network File System Daemon) component. The vulnerability was discovered in early 2025 and involves a hang condition in the nfsd4shutdowncallback functionality. The issue occurs when an nfs4client is in courtesy state, causing nfsd4shutdowncallback to hang since clcb_inflight is not 0, resulting in a 15-minute delay until TCP notifies NFSD that the connection was dropped (Kernel Git).

The vulnerability exists in the NFSD callback handling mechanism. When an nfs4client enters a courtesy state, the system attempts to send a callback which is unnecessary. This results in nfsd4shutdowncallback hanging due to clcbinflight remaining non-zero. The system then has to wait approximately 15 minutes for TCP to notify NFSD about the dropped connection. The fix involves modifying nfsd4runcbwork to skip the RPC call when nfs4_client is in courtesy state (Kernel Git).

The primary impact of this vulnerability is a service degradation in the form of system hangs lasting approximately 15 minutes when specific NFS conditions are met. This can affect system performance and availability of NFS services (Kernel Git).

The issue has been resolved through a patch that modifies the nfsd4runcbwork function to skip the RPC call when nfs4client is in courtesy state. Users should update their Linux kernel to a version that includes this fix (Kernel Git).