An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center