Skip to main content

Linux EUVDEUVD-2026-15231

| CVE-2026-23297 MEDIUM
Memory Leak (CWE-401)
2026-03-25 Linux GHSA-pxcg-3rj5-5gx5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15231
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().

syzbot reported memory leak of struct cred. [0]

nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that.

The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt.

The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked.

nfsd_svc() is also called from write_threads(), but it does not bump file->f_cred there.

nfsd_nl_threads_set_doit() is called from sendmsg() and current->cred does not go away.

Let's use current_cred() in nfsd_nl_threads_set_doit().

[0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 prepare_creds+0x22/0x600 kernel/cred.c:185 copy_creds+0x44/0x290 kernel/cred.c:286 copy_process+0x7a7/0x2870 kernel/fork.c:2086 kernel_clone+0xac/0x6e0 kernel/fork.c:2651 __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

AnalysisAI

A credential reference leak exists in the Linux kernel's nfsd (NFS daemon) subsystem, specifically in the nfsd_nl_threads_set_doit() function which handles netlink-based thread configuration. The vulnerability affects all Linux kernel versions containing the vulnerable nfsd code path, allowing local users with netlink access to trigger memory leaks of credential structures through repeated invocations of the affected function. While not directly exploitable for privilege escalation or data theft, the memory leak can lead to denial of service through resource exhaustion and enables information disclosure via leaked kernel memory structures.

Technical ContextAI

The vulnerability resides in the NFS daemon (nfsd) kernel subsystem, which implements the NFS protocol for file sharing. The root cause is a credential reference counting error where nfsd_nl_threads_set_doit() calls get_current_cred() to obtain a reference to the current task's credential structure, then passes this reference to nfsd_svc(). However, the reference is never released via put_cred(), violating the reference counting contract. The function uses get_current_cred() (which increments the refcount) instead of current_cred() (which does not), and the obtained reference is subsequently transferred to svc_xprt creation where another get_cred() increments it again, but the initial reference from get_current_cred() remains unbalanced. This is a classic use-after-free prevention mechanism failure—the kernel's credential management system (defined in kernel/cred.c) relies on proper paired increment/decrement of refcounts for memory safety. Affected product: Linux kernel (cpe:2.3:a:linux:linux), all versions containing the vulnerable nfsd code path prior to the fix commits.

RemediationAI

Upgrade the Linux kernel to a patched version containing one of the referenced fix commits (41170716421c25cd20b39e83f0e0762e212b377b, 27c13c5bb0948e3b5c64e59f8a903231896fab9b, a3f88e3e18b51a7f654189189c762ebcdeaa7e29, or 1cb968a2013ffa8112d52ebe605009ea1c6a582c) available at https://git.kernel.org/stable/. Contact your Linux distribution (Red Hat, Ubuntu, Debian, SUSE, etc.) for backported kernel updates for your supported stable release branch. Until patching is feasible, restrict netlink access using SELinux or AppArmor policies to prevent untrusted local users from invoking nfsd netlink configuration functions, and monitor kernel memory pressure via /proc/sysinfo and kmemleak output for signs of exploitation. For systems unable to patch immediately, disable nfsd netlink configuration interfaces if not required for operational procedures.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy