CVE-2026-53244 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

VFS: fix possible failure to unlock in nfsd4_create_file()

atomic_create() in fs/namei.c drops the reference to the dentry
when it returns an error.
This behaviour was imported into dentry_create() so that it
will drop the reference if an error is returned from atomic_create(),
though not if vfs_create() returns an error (in the case where
->atomic_create is not supported).

The caller - nfsd4_create_file() - is made aware of this by checking
path->dentry, which will either be a counted reference to a dentry, or
an error pointer.

However the change to use start_creating()/end_creating() (which landed
shortly before the dentry_create() change landed, though was likely
developed around the same time) means that nfsd4_create_file() *needs* a
valid dentry so that it can unlock the parent.

The net result is that if NFSD exports a filesystem which uses
->atomic_create, and if a call to ->atomic_create returns an error, then
nfsd4_create_file() will pass an error pointer to end_creating()
and the parent will not be unlocked.

Fix this by changing dentry_create() to make sure path->dentry is always
a valid dentry, never an error-pointer. The actual error is already
returned a different way.

Note that if ->atomic_create() returns a different dentry (which may not
be possible in practice) we are guaranteed (because it is only ever
provided by d_spliace_alias()) that it will have the same d_parent and
so it will have the same effect when passed to end_creating().

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s VFS, the NFS server routine nfsd4_create_file must release a parent directory lock with end_creating(). When file creation is performed through atomic_create() and that call fails, nfsd4_create_file receives an error pointer and passes it to end_creating(), which then fails to unlock the parent. The mis‑ordered unlock logic leads to a parent lock that remains held, preventing any further write or creation operations in that directory until the lock is forced released or the system is restarted. The flaw is a classic resource‑leak bug (CWE‑773) caused by improper lock handling (CWE‑547).

Affected Systems

Any Linux kernel running the unpatched VFS code is affected, and specifically NFS servers that export filesystems and call atomic_create() during file creation. The bug is present in all kernel versions before the patch commit referenced in the advisory; therefore systems with older or unpatched kernels exposing NFS shares using the atomic_create API are potentially impacted.

Risk and Exploitability

The advisory does not provide a CVSS score or an EPSS probability, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation yet. However, the error‑induced lock leak can be triggered by sending malformed or large create requests over the network to an exposed NFS server. Once triggered, the lock will remain held, effectively denying all clients write access to that directory and causing a denial of service. The risk is moderate, but the impact on service availability warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`64a989dbd144e0622371396461b11335459692d2`	affected	< ee1f40759a50b1800c98c1c369afd5b3e44ad987
`64a989dbd144e0622371396461b11335459692d2`	affected	< e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44

Linux

affected

Version	Status	Constraints
`7.0`	affected	—
`0`	unaffected	< 7.0
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel update that contains the patch to nfsd4_create_file unlock logic to ensure the parent directory is always unlocked after a failed creation attempt.
Reconfigure or disable NFS exports that rely on the atomic_create path until the vulnerability is remediated, or enforce the use of safer file‑creation routines in the export options.
Monitor NFS server logs for repeated create failures and investigate any locked directory conditions, restarting the NFS service if a lock persists beyond normal timeouts.

Generated by OpenCVE AI on June 25, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00162.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44
https://git.kernel.org/stable/c/ee1f40759a50b1800c98c1c369afd5b3e44ad987

History

Thu, 25 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-547 CWE-773

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfsd4_create_file() atomic_create() in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentry_create() so that it will drop the reference if an error is returned from atomic_create(), though not if vfs_create() returns an error (in the case where ->atomic_create is not supported). The caller - nfsd4_create_file() - is made aware of this by checking path->dentry, which will either be a counted reference to a dentry, or an error pointer. However the change to use start_creating()/end_creating() (which landed shortly before the dentry_create() change landed, though was likely developed around the same time) means that nfsd4_create_file() needs a valid dentry so that it can unlock the parent. The net result is that if NFSD exports a filesystem which uses ->atomic_create, and if a call to ->atomic_create returns an error, then nfsd4_create_file() will pass an error pointer to end_creating() and the parent will not be unlocked. Fix this by changing dentry_create() to make sure path->dentry is always a valid dentry, never an error-pointer. The actual error is already returned a different way. Note that if ->atomic_create() returns a different dentry (which may not be possible in practice) we are guaranteed (because it is only ever provided by d_spliace_alias()) that it will have the same d_parent and so it will have the same effect when passed to end_creating().
Title		VFS: fix possible failure to unlock in nfsd4_create_file()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 https://git.kernel.org/stable/c/ee1f40759a50b1800c98c1c369afd5b3e44ad987

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:38.468Z

Updated: 2026-06-25T08:39:38.468Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53244

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses

CWE-547
Use of Hard-coded, Security-relevant Constants
CWE-773
Missing Reference to Active File Descriptor or Handle

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object