Skip to main content

Linux Kernel CVE-2026-45983

| EUVDEUVD-2026-32268 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wrmj-c6w7-44cr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges required to trigger idmap upcall; only availability impact via stuck session slot; no data exposure or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 03:00 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

nfsd: never defer requests during idmap lookup

During v4 request compound arg decoding, some ops (e.g. SETATTR) can trigger idmap lookup upcalls. When those upcall responses get delayed beyond the allowed time limit, cache_check() will mark the request for deferral and cause it to be dropped.

This prevents nfs4svc_encode_compoundres from being executed, and thus the session slot flag NFSD4_SLOT_INUSE never gets cleared. Subsequent client requests will fail with NFSERR_JUKEBOX, given that the slot will be marked as in-use, making the SEQUENCE op fail.

Fix this by making sure that the RQ_USEDEFERRAL flag is always clear during nfs4svc_decode_compoundargs(), since no v4 request should ever be deferred.

AnalysisAI

NFSv4 server slot exhaustion in the Linux kernel nfsd subsystem causes persistent denial of service for NFS clients when idmap upcall delays occur during compound argument decoding. Specifically, when a SETATTR or similar compound operation triggers an idmap lookup upcall that exceeds the allowed time limit, cache_check() sets RQ_USEDEFERRAL and drops the request before nfs4svc_encode_compoundres() can execute - meaning the NFSD4_SLOT_INUSE session slot flag is never cleared. All subsequent client requests on that session slot fail with NFSERR_JUKEBOX indefinitely. No public exploit has been identified and EPSS is 0.02% (7th percentile), indicating no active exploitation pressure; this is a logic flaw with confirmed upstream patches across all major stable branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's NFS server daemon (nfsd), specifically the NFSv4 compound request processing path. NFSv4.1+ uses a session slot table to track in-flight requests; each slot carries an NFSD4_SLOT_INUSE flag that must be explicitly cleared after the response is encoded. During nfs4svc_decode_compoundargs(), certain operations (e.g., SETATTR) may invoke user-space identity mapping (idmap) via the kernel's cache upcall mechanism - typically serviced by rpc.idmapd or nfsidmap. If the upcall response is delayed beyond cache_check()'s tolerance threshold, the kernel sets the RQ_USEDEFERRAL flag and effectively abandons the request. Because the encoding function nfs4svc_encode_compoundres() is never reached, no slot cleanup occurs. The CWE is listed as N/A in source data, but this is best characterized as a resource management / incorrect cleanup flaw (analogous to CWE-459: Incomplete Cleanup) triggered by a race between kernel request deferral logic and NFSv4 session slot lifecycle management. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* from introductory commit 2f425878b6a7 (present since Linux 2.6.30).

RemediationAI

Upgrade to a patched kernel version: 5.10.252+, 5.15.202+, 6.1.165+, 6.6.128+, 6.12.75+, 6.18.14+, 6.19.4+, or 7.0+. Fix commits are available at git.kernel.org stable tree references: https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd (and sibling commits for each branch). The kernel-level fix clears the RQ_USEDEFERRAL flag unconditionally at the start of nfs4svc_decode_compoundargs() so NFSv4 compound requests are never deferred. As a compensating control prior to patching, ensure the idmap daemon (rpc.idmapd or nfsidmap) is highly available and responsive: configure local /etc/idmapd.conf to use static file-based mappings where feasible, increase idmap cache timeouts to reduce upcall frequency, or ensure LDAP/AD backend latency is well within rpcidmapd's response window. Note that these workarounds reduce but do not eliminate the trigger condition. Disabling NFSv4.1+ in favor of NFSv4.0 (which does not use session slots the same way) is a more disruptive but effective mitigation; this will reduce concurrency and may affect client performance.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
SUSE Linux Micro 6.0 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

CVE-2026-45983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy