CVE-2025-40210: 
Echo vulnerability analysis and mitigation

A vulnerability in the Linux kernel's NFSv4 COMPOUND implementation was discovered and assigned CVE-2025-40210. The issue was identified when a cap on the number of operations per NFSv4 COMPOUND was removed, leading to potential security risks. The vulnerability was disclosed on November 21, 2025, affecting Linux kernel systems running NFSD (NVD).

The vulnerability stems from the removal of operation limits in NFSv4 COMPOUND processing. When an attacker places an arbitrarily large operation count in the COMPOUND header, it triggers a vmalloc error with size 1209533382144, which exceeds total available pages. The error occurs with mode:0xdc0(GFPKERNEL|_GFP_ZERO) settings. Additionally, the pynfs COMP6 testing revealed that the vulnerability leaves connections or leases in an unusual state, causing CLOSE9 operations to hang indefinitely (NVD).

The vulnerability can lead to memory corruption and potential system resource exhaustion when NFSD attempts to allocate the COMPOUND operation array. This could result in denial of service conditions for affected systems (NVD).

The vulnerability has been addressed by restoring the operation-per-COMPOUND limit, but with an increased threshold of 200 operations. This fix helps prevent resource exhaustion while maintaining reasonable functionality (NVD, Debian Tracker).