Description
In the Linux kernel, the following vulnerability has been resolved:

nfsd: provide locking for v4_end_grace

Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.

We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.

nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.

However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.

So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.

This resolves a race which can result in use-after-free.
Published: 2026-01-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free
Action: Apply Patch
AI Analysis

Impact

The Linux kernel contains a race condition in the NFS server shutdown routine. During shutdown, the v4_end_grace flag can be written while the server is terminating, causing code to access memory that has already been freed. This results in a use‑after‑free flaw that can produce a crash or other memory‑corruption symptoms. The vulnerability is identified as CWE‑416.

Affected Systems

The flaw affects the Linux operating system kernel, particularly the 6.19 release candidate series (rc1 through rc4) and all other kernel versions that include the NFS server component. Any system running an unpatched kernel and exposing an NFSv4 server is potentially exposed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require a way to trigger the NFS server shutdown while the race condition can occur, implying that a privileged or local attacker might be able to exercise the flaw.

Generated by OpenCVE AI on April 18, 2026 at 18:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a kernel patch that implements the locking fix described in the changelog.
  • If a patch is not immediately available, disable the NFSv4 server or stop all NFS exports until the kernel can be upgraded.
  • Restrict NFS service access to trusted users only and limit the ability to initiate server shutdown, reducing the chance that the race condition can be exercised.

Generated by OpenCVE AI on April 18, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8096-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-5 Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN Ubuntu USN USN-8116-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free.
Title nfsd: provide locking for v4_end_grace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:30.307Z

Reserved: 2026-01-13T15:37:45.936Z

Link: CVE-2026-22980

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:54.003

Modified: 2026-02-26T18:48:11.530

Link: CVE-2026-22980

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22980 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses