{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23297", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:54.156Z", "dateUpdated": "2026-03-25T10:26:54.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:54.156Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n comm \"syz-executor\", pid 5994, jiffies 4294943386\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 369454a7):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n prepare_creds+0x22/0x600 kernel/cred.c:185\n copy_creds+0x44/0x290 kernel/cred.c:286\n copy_process+0x7a7/0x2870 kernel/fork.c:2086\n kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "41170716421c25cd20b39e83f0e0762e212b377b", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "27c13c5bb0948e3b5c64e59f8a903231896fab9b", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "a3f88e3e18b51a7f654189189c762ebcdeaa7e29", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "1cb968a2013ffa8112d52ebe605009ea1c6a582c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"}, {"url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"}, {"url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"}, {"url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"}], "title": "nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n comm \"syz-executor\", pid 5994, jiffies 4294943386\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 369454a7):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n prepare_creds+0x22/0x600 kernel/cred.c:185\n copy_creds+0x44/0x290 kernel/cred.c:286\n copy_process+0x7a7/0x2870 kernel/fork.c:2086\n kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "id": "CVE-2026-23297", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()", "id": "2451226", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451226"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's nfsd component. A local user could exploit this vulnerability due to a missing `put_cred()` call in the `nfsd_nl_threads_set_doit()` function. This oversight leads to a memory leak of `struct cred` objects, which can result in a denial of service by exhausting available memory resources."], "name": "CVE-2026-23297", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23297\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23297\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23297-bcad@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:03:57.495675+00:00", "value": {"mitigation_remediation": ["Update to a kernel version that includes the nfsd credential release patch", "Ensure that the operating system\u2019s package manager is configured to install the latest kernel updates automatically", "If an update is not yet available, restrict NFS traffic by firewall or disabling the service when not needed and limit the number of concurrent NFS threads if possible", "Continuously monitor kernel memory usage for unusual growth in credential allocations and audit for memory leak symptoms"], "summary": {"action": "Apply kernel patch", "impact": "Memory Leak causing kernel memory exhaustion and potential DoS"}, "threat_synthesis": {"affected_systems": "Any Linux kernel installation that hosts the NFS server daemon (nfsd) and runs a kernel version prior to the patch that fixes the credential release bug is affected. The specific vulnerable kernel releases are not listed in the advisory, so all kernels lacking the commit that replaces get_current_cred() in the affected function are considered at risk. Linux distributions that ship the kernel unchanged should contact their maintainers for an update.", "description_and_impact": "The Linux kernel NFS daemon contains a reference leak in the function that sets up NFS threads. The code obtains the current process\u2019s credential structure by calling get_current_cred() but never releases it, causing the reference count of that credential object to increment without bound. Over time this unreleased reference accumulates until the kernel\u2019s memory pool is exhausted, which can lead to a denial\u2011of\u2011service condition for the system. The vulnerability was discovered by syzbot fuzzing and fixed by replacing the cred retrieval with a non\u2011incrementing variant.", "risk_and_exploitability": "The risk is elevated only if an attacker can repeatedly trigger the vulnerable path to force the kernel to allocate many credential objects. No code execution or remote privilege escalation is provided by the flaw, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is unavailable, so the precise exploitation likelihood is uncertain. Nonetheless, local users who can generate large NFS operations could induce kernel memory exhaustion, making this a medium\u2011to\u2011high severity issue for systems that expose NFS services."}}}}, "created": "2026-03-25T21:15:33.331948+00:00", "updated": "2026-03-25T21:15:33.332787+00:00", "vendors": [], "weaknesses": ["CWE-401"]}