CVE-2026-23297 - Vulnerability Details

- nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().

syzbot reported memory leak of struct cred. [0]

nfsd_nl_threads_set_doit() passes get_current_cred() to
nfsd_svc(), but put_cred() is not called after that.

The cred is finally passed down to _svc_xprt_create(),
which calls get_cred() with the cred for struct svc_xprt.

The ownership of the refcount by get_current_cred() is not
transferred to anywhere and is just leaked.

nfsd_svc() is also called from write_threads(), but it does
not bump file->f_cred there.

nfsd_nl_threads_set_doit() is called from sendmsg() and
current->cred does not go away.

Let's use current_cred() in nfsd_nl_threads_set_doit().

[0]:
BUG: memory leak
unreferenced object 0xffff888108b89480 (size 184):
comm "syz-executor", pid 5994, jiffies 4294943386
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 369454a7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the Linux kernel's NFS server implementation, where the function nfsd_nl_threads_set_doit() incorrectly passes a credential reference obtained via get_current_cred() to other internal functions without releasing it. This leakage of the struct cred reference leads to a memory leak that gradually consumes kernel memory over time. The leak does not directly grant an attacker elevated privileges or code execution, but it can cause resource exhaustion if exploited repeatedly or leveraged against a system that keeps the NFS service active for prolonged periods.

Affected Systems

All Linux kernel versions that include the NFS server code are potentially affected, as the issue is tied to the generic nfsd implementation rather than a specific kernel release. Systems running older kernels that have not yet incorporated the upstream fix are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not tracked in CISA's KEV catalog, reflecting its limited exploitation potential. Inferred attack vectors involve any entity that can access the NFS service—remote or local clients—using standard write or sendmsg operations to repeatedly trigger the memory leak. While no direct privilege escalation is possible, the cumulative effect can lead to denial‑of‑service conditions by exhausting kernel memory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`924f4fb003ba114c60b3c07a011dcd86a8956cd1`	affected	< 41170716421c25cd20b39e83f0e0762e212b377b
`924f4fb003ba114c60b3c07a011dcd86a8956cd1`	affected	< 27c13c5bb0948e3b5c64e59f8a903231896fab9b
`924f4fb003ba114c60b3c07a011dcd86a8956cd1`	affected	< a3f88e3e18b51a7f654189189c762ebcdeaa7e29
`924f4fb003ba114c60b3c07a011dcd86a8956cd1`	affected	< 1cb968a2013ffa8112d52ebe605009ea1c6a582c

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[924f4fb003ba114c60b3c07a011dcd86a8956cd1,41170716421c25cd20b39e83f0e0762e212b377b)`	affected	code_commit	—
`[924f4fb003ba114c60b3c07a011dcd86a8956cd1,27c13c5bb0948e3b5c64e59f8a903231896fab9b)`	affected	code_commit	—
`[924f4fb003ba114c60b3c07a011dcd86a8956cd1,a3f88e3e18b51a7f654189189c762ebcdeaa7e29)`	affected	code_commit	—
`[924f4fb003ba114c60b3c07a011dcd86a8956cd1,1cb968a2013ffa8112d52ebe605009ea1c6a582c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	semver	—
`[0,6.10)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for and install the latest Linux kernel update that includes the upstream patch for the NFS credential leak.
Monitor kernel logs for repeated “unreferenced object” messages indicating ongoing leaks.
If no update is available, consider temporarily disabling the NFS server or removing modules that expose the affected code paths.

Generated by OpenCVE AI on March 26, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c
https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b
https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b
https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29
https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23297-bcad@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23297
https://www.cve.org/CVERecord?id=CVE-2026-23297

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23297-bcad@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23297 https://www.cve.org/CVERecord?id=CVE-2026-23297
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt. The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked. nfsd_svc() is also called from write_threads(), but it does not bump file->f_cred there. nfsd_nl_threads_set_doit() is called from sendmsg() and current->cred does not go away. Let's use current_cred() in nfsd_nl_threads_set_doit(). [0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 prepare_creds+0x22/0x600 kernel/cred.c:185 copy_creds+0x44/0x290 kernel/cred.c:286 copy_process+0x7a7/0x2870 kernel/fork.c:2086 kernel_clone+0xac/0x6e0 kernel/fork.c:2651 __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Title		nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:54.156Z

Updated: 2026-04-13T06:03:51.946Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23297

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:25.167

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23297

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23297 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:50:09Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object