FKIE_CVE-2026-23297

Vulnerability from fkie_nvd - Published: 2026-03-25 11:16 - Updated: 2026-03-25 15:41
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt. The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked. nfsd_svc() is also called from write_threads(), but it does not bump file->f_cred there. nfsd_nl_threads_set_doit() is called from sendmsg() and current->cred does not go away. Let's use current_cred() in nfsd_nl_threads_set_doit(). [0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 prepare_creds+0x22/0x600 kernel/cred.c:185 copy_creds+0x44/0x290 kernel/cred.c:286 copy_process+0x7a7/0x2870 kernel/fork.c:2086 kernel_clone+0xac/0x6e0 kernel/fork.c:2651 __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file-\u003ef_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent-\u003ecred does not go away.\n\nLet\u0027s use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n  comm \"syz-executor\", pid 5994, jiffies 4294943386\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 369454a7):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4958 [inline]\n    slab_alloc_node mm/slub.c:5263 [inline]\n    kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n    prepare_creds+0x22/0x600 kernel/cred.c:185\n    copy_creds+0x44/0x290 kernel/cred.c:286\n    copy_process+0x7a7/0x2870 kernel/fork.c:2086\n    kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n    __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfsd: Corrige la fuga de referencia de cred en nfsd_nl_threads_set_doit().\n\nsyzbot inform\u00f3 una fuga de memoria de la estructura cred. [0]\n\nnfsd_nl_threads_set_doit() pasa get_current_cred() a nfsd_svc(), pero put_cred() no es llamada despu\u00e9s de eso.\n\nEl cred es finalmente pasado a _svc_xprt_create(), que llama a get_cred() con el cred para la estructura svc_xprt.\n\nLa propiedad del contador de referencias por get_current_cred() no es transferida a ning\u00fan lugar y simplemente se fuga.\n\nnfsd_svc() tambi\u00e9n es llamada desde write_threads(), pero no incrementa file-\u0026gt;f_cred all\u00ed.\n\nnfsd_nl_threads_set_doit() es llamada desde sendmsg() y current-\u0026gt;cred no desaparece.\n\nUsemos current_cred() en nfsd_nl_threads_set_doit().\n\n[0]:\nERROR: fuga de memoria\nobjeto sin referencia 0xffff888108b89480 (tama\u00f1o 184):\n  comm \u0027syz-executor\u0027, pid 5994, jiffies 4294943386\n  volcado hexadecimal (primeros 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 369454a7):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4958 [inline]\n    slab_alloc_node mm/slub.c:5263 [inline]\n    kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n    prepare_creds+0x22/0x600 kernel/cred.c:185\n    copy_creds+0x44/0x290 kernel/cred.c:286\n    copy_process+0x7a7/0x2870 kernel/fork.c:2086\n    kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n    __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f"
    }
  ],
  "id": "CVE-2026-23297",
  "lastModified": "2026-03-25T15:41:33.977",
  "metrics": {},
  "published": "2026-03-25T11:16:25.167",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.