Skip to main content

Linux Kernel NFSD CVE-2026-43394

| EUVDEUVD-2026-28700 MEDIUM
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-h5f4-6rm7-58wm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 12:42 vuln.today
CVSS changed
May 26, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().

nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred().

As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount.

nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away.

Let's use current_cred() in nfsd_nl_listener_set_doit().

AnalysisAI

Credential reference leak in the Linux kernel's NFS server daemon (nfsd) subsystem allows a local low-privileged user to cause a denial of service through kernel memory exhaustion. The vulnerable function nfsd_nl_listener_set_doit() calls get_current_cred() without a matching put_cred(), leaking one credential reference on each invocation. No active exploitation has been identified (EPSS 0.02%, 5th percentile; not listed in CISA KEV), and patches are available across multiple stable kernel branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's NFSD (Network File System Daemon) subsystem within nfsd_nl_listener_set_doit(), which handles Netlink-based requests to configure NFS server listeners. The root cause (CWE-401: Missing Release of Memory after Effective Lifetime) is a credential reference count imbalance: get_current_cred() increments the reference count on the calling task's credential structure, but the corresponding put_cred() was omitted. Since svc_xprt_create_from_sa() does not consume the extra reference, and current->cred is guaranteed stable throughout the sendmsg() process context, the correct fix is to use current_cred() - which reads the credential pointer without incrementing the reference count. Each invocation of the vulnerable codepath leaks one credential reference; accumulated over time, unreleased credential structures prevent the kernel from reclaiming memory, ultimately exhausting kernel memory. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers the affected Linux kernel codebase, with the vulnerability introduced at commit 16a471177496c8e04a9793812c187a2c1a2192fa.

RemediationAI

Upgrade to a patched Linux kernel version: 6.12.78 or later for the 6.12 stable series, 6.18.19 or later for the 6.18 series, 6.19.9 or later for the 6.19 series, or kernel 7.0 for mainline. The upstream fix commits are available at https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54, https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f, https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c, and https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7. If kernel patching is not immediately feasible, a compensating control is to prevent untrusted local users from loading the nfsd kernel module or accessing the NFSD Netlink interface - for example, restricting module loading via kernel.modules_disabled or using SELinux/AppArmor policies to block nfsd Netlink access; note these controls may disrupt NFS server management operations. Red Hat and SUSE should be monitored for distribution-specific kernel security updates incorporating these fixes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy