Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remotely reachable via NFS (AV:N) but requires an export using ->atomic_create and a triggered callback error, so AC:H; availability-only impact (A:H), no confidentiality or integrity effect.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
VFS: fix possible failure to unlock in nfsd4_create_file()
atomic_create() in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentry_create() so that it will drop the reference if an error is returned from atomic_create(), though not if vfs_create() returns an error (in the case where ->atomic_create is not supported).
The caller - nfsd4_create_file() - is made aware of this by checking path->dentry, which will either be a counted reference to a dentry, or an error pointer.
However the change to use start_creating()/end_creating() (which landed shortly before the dentry_create() change landed, though was likely developed around the same time) means that nfsd4_create_file() *needs* a valid dentry so that it can unlock the parent.
The net result is that if NFSD exports a filesystem which uses ->atomic_create, and if a call to ->atomic_create returns an error, then nfsd4_create_file() will pass an error pointer to end_creating() and the parent will not be unlocked.
Fix this by changing dentry_create() to make sure path->dentry is always a valid dentry, never an error-pointer. The actual error is already returned a different way.
Note that if ->atomic_create() returns a different dentry (which may not be possible in practice) we are guaranteed (because it is only ever provided by d_spliace_alias()) that it will have the same d_parent and so it will have the same effect when passed to end_creating().
AnalysisAI
Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the NFSD server to export a filesystem whose VFS layer implements the ->atomic_create operation, AND a call to ->atomic_create must return an error during a file-create request - that error path is what fails to unlock the parent inode. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An NFS client with access to a server that exports a filesystem implementing ->atomic_create issues a file-creation request crafted to make the underlying ->atomic_create callback fail. The error path in nfsd4_create_file() leaves the parent directory inode locked, so subsequent operations on that directory hang, degrading or denying service to all clients. … |
| Remediation | Upstream fix available (commits e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 and ee1f40759a50b1800c98c1c369afd5b3e44ad987 at git.kernel.org/stable); per EUVD the corrected stable releases are referenced as 7.0.13 and 7.1, so update to your distribution's kernel build that incorporates these commits. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify which systems export NFS filesystems and determine which support the VFS ->atomic_create operation; establish monitoring for NFS lock contention and service stalls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39195
GHSA-q9qr-5342-rrw2