Description
In the Linux kernel, the following vulnerability has been resolved:

NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg

In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already
set by another thread, __nfs4_file_get_access should not be called
to increment the nfs4_file access count since that was already done
by the thread that added READ access to the file. The extra fi_access
count in nfs4_file can prevent the corresponding nfsd_file from being
freed.

When stopping nfs-server service, these extra access counts trigger a
BUG in kmem_cache_destroy() that shows nfsd_file object remaining on
__kmem_cache_shutdown.

This problem can be reproduced by running the Git project's test
suite over NFS.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in nfsd4_add_rdaccess_to_wrdeleg is a reference‑counting error delineated as CWE‑911, allowing an NFS client thread to over‑increment the reference counter of an nfs4_file object. When the NFS server stops, the inflated counter prevents the corresponding nfsd_file from being freed. The unfinished kernel object triggers a BUG in kmem_cache_destroy() as the cache is torn down, potentially corrupting memory or causing a crash. This affects the integrity and availability of the NFS service during termination.

Affected Systems

The vulnerability exists in all Linux kernel versions that contain the buggy nfsd4 implementation, regardless of distribution. Any system running nfs-server and handling concurrent NFSv4 access can be exposed until the patch is applied. The issue is not limited to a particular vendor; it applies to the upstream Linux kernel shared by all distributions.

Risk and Exploitability

No public exploitation reports exist, and the EPSS score is < 1%, but the lack of a KEV listing does not diminish the potential impact. Based on the description, it is inferred that an attacker with network access to the NFS server could trigger the condition by generating high volumes of concurrent read and write delegations. The risk is significant if the NFS service is part of a critical infrastructure, as it can lead to kernel instability or denial of service. The CVSS score of 7.5 indicates a high severity, but the kernel BUG and memory leak also indicate a significant risk.

Generated by OpenCVE AI on June 28, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the kernel to a version that fixes the nfsd4_add_rdaccess_to_wrdeleg reference‑counting flaw (CWE‑911) by applying the upstream patch commits listed in the advisory.
  • If the distribution, manually cherry‑pick the commits from the Linux kernel tree, rebuild the kernel, and install the new image to eliminate the improper access count increment that leads to the memory leak identified by CWE‑911.
  • After upgrading or patching, restart the nfs-server service and monitor for kernel BUG or enable debug mode for reference counting to detect any residual over‑increments that could still trigger a CWE‑911 failure during shutdown.

Generated by OpenCVE AI on June 28, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already set by another thread, __nfs4_file_get_access should not be called to increment the nfs4_file access count since that was already done by the thread that added READ access to the file. The extra fi_access count in nfs4_file can prevent the corresponding nfsd_file from being freed. When stopping nfs-server service, these extra access counts trigger a BUG in kmem_cache_destroy() that shows nfsd_file object remaining on __kmem_cache_shutdown. This problem can be reproduced by running the Git project's test suite over NFS.
Title NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:15.626Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53026

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53026 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count