FKIE_CVE-2026-23297

Vulnerability from fkie_nvd - Published: 2026-03-25 11:16 - Updated: 2026-03-25 15:41
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt. The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked. nfsd_svc() is also called from write_threads(), but it does not bump file->f_cred there. nfsd_nl_threads_set_doit() is called from sendmsg() and current->cred does not go away. Let's use current_cred() in nfsd_nl_threads_set_doit(). [0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 prepare_creds+0x22/0x600 kernel/cred.c:185 copy_creds+0x44/0x290 kernel/cred.c:286 copy_process+0x7a7/0x2870 kernel/fork.c:2086 kernel_clone+0xac/0x6e0 kernel/fork.c:2651 __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file-\u003ef_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent-\u003ecred does not go away.\n\nLet\u0027s use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n  comm \"syz-executor\", pid 5994, jiffies 4294943386\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 369454a7):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4958 [inline]\n    slab_alloc_node mm/slub.c:5263 [inline]\n    kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n    prepare_creds+0x22/0x600 kernel/cred.c:185\n    copy_creds+0x44/0x290 kernel/cred.c:286\n    copy_process+0x7a7/0x2870 kernel/fork.c:2086\n    kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n    __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f"
    }
  ],
  "id": "CVE-2026-23297",
  "lastModified": "2026-03-25T15:41:33.977",
  "metrics": {},
  "published": "2026-03-25T11:16:25.167",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.