CVE-2026-43394 - Vulnerability Details

- nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().

nfsd_nl_listener_set_doit() uses get_current_cred() without
put_cred().

As we can see from other callers, svc_xprt_create_from_sa()
does not require the extra refcount.

nfsd_nl_listener_set_doit() is always in the process context,
sendmsg(), and current->cred does not go away.

Let's use current_cred() in nfsd_nl_listener_set_doit().

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A refcount leak was discovered in the Linux NFS daemon, where the function nfsd_nl_listener_set_doit() obtained a credential reference using get_current_cred() but failed to release it with put_cred(). This oversight causes the kernel to retain unnecessary credential objects, which can grow unbounded in long‑running or high‑traffic NFS operations. While the leak alone does not directly grant elevated privileges, an attacker could potentially amplify the dysfunction by repeatedly invoking the vulnerable path, leading to kernel memory exhaustion and a denial of service.

Affected Systems

All Linux kernel implementations prior to the inclusion of the fix (commit 019debe5851d7355bea9ff0248cc317878924d8f) are affected. The vulnerability is present across all architectures that compile the NFS server module and is not limited to a particular distribution.

Risk and Exploitability

The exploit requires access to the kernel’s NFS subsystem, implying local or privileged execution capability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so the current likelihood of exploitation is uncertain. Nonetheless, the CVSS score is 5.5, indicating a moderate impact. From the description, the likely attack vector is local exploitation calling the NFS or sendmsg path. An attacker with local privileges could repeatedly trigger the leak, increasing the risk of resource exhaustion or stability degradation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`16a471177496c8e04a9793812c187a2c1a2192fa`	affected	< 02e87ec0bc706cb93fa47b43d18c4d10102c7d54
`16a471177496c8e04a9793812c187a2c1a2192fa`	affected	< 019debe5851d7355bea9ff0248cc317878924d8f
`16a471177496c8e04a9793812c187a2c1a2192fa`	affected	< cba413765376bb466035c9160fa3130402971e2c
`16a471177496c8e04a9793812c187a2c1a2192fa`	affected	< 92978c83bb4eef55d02a6c990c01c423131eefa7

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[16a471177496c8e04a9793812c187a2c1a2192fa,02e87ec0bc706cb93fa47b43d18c4d10102c7d54)`	affected	code_commit	—
`[16a471177496c8e04a9793812c187a2c1a2192fa,019debe5851d7355bea9ff0248cc317878924d8f)`	affected	code_commit	—
`[16a471177496c8e04a9793812c187a2c1a2192fa,cba413765376bb466035c9160fa3130402971e2c)`	affected	code_commit	—
`[16a471177496c8e04a9793812c187a2c1a2192fa,92978c83bb4eef55d02a6c990c01c423131eefa7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	generic	—
`[0,6.10)`	unaffected	generic	—
`[6.12.78,6.13.0)`	unaffected	generic	—
`[6.18.19,6.19.0)`	unaffected	generic	—
`[6.19.9,7.0.0)`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that incorporates the commit that fixes the credential refcount leak (019debe5851d7355bea9ff0248cc317878924d8f).
Restart the NFS service or reboot the system to ensure the patched kernel is active.
If an immediate kernel upgrade is not possible, consider disabling or throttling NFS-related traffic to reduce the opportunity for the leak to accumulate.

Generated by OpenCVE AI on May 9, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f
https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54
https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7
https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c
https://lore.kernel.org/linux-cve-announce/2026050837-CVE-2026-43394-974b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43394
https://www.cve.org/CVERecord?id=CVE-2026-43394

History

Sat, 09 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-775

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050837-CVE-2026-43394-974b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43394 https://www.cve.org/CVERecord?id=CVE-2026-43394
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-775

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let's use current_cred() in nfsd_nl_listener_set_doit().
Title		nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54 https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7 https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:38.127Z

Updated: 2026-05-08T14:21:38.127Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43394

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:50.800

Modified: 2026-05-08T15:16:50.800

Link: CVE-2026-43394

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43394 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T04:00:14Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object