Skip to main content

Linux Kernel EUVDEUVD-2026-39195

| CVE-2026-53244 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q9qr-5342-rrw2
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Remotely reachable via NFS (AV:N) but requires an export using ->atomic_create and a triggered callback error, so AC:H; availability-only impact (A:H), no confidentiality or integrity effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:41 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

VFS: fix possible failure to unlock in nfsd4_create_file()

atomic_create() in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentry_create() so that it will drop the reference if an error is returned from atomic_create(), though not if vfs_create() returns an error (in the case where ->atomic_create is not supported).

The caller - nfsd4_create_file() - is made aware of this by checking path->dentry, which will either be a counted reference to a dentry, or an error pointer.

However the change to use start_creating()/end_creating() (which landed shortly before the dentry_create() change landed, though was likely developed around the same time) means that nfsd4_create_file() *needs* a valid dentry so that it can unlock the parent.

The net result is that if NFSD exports a filesystem which uses ->atomic_create, and if a call to ->atomic_create returns an error, then nfsd4_create_file() will pass an error pointer to end_creating() and the parent will not be unlocked.

Fix this by changing dentry_create() to make sure path->dentry is always a valid dentry, never an error-pointer. The actual error is already returned a different way.

Note that if ->atomic_create() returns a different dentry (which may not be possible in practice) we are guaranteed (because it is only ever provided by d_spliace_alias()) that it will have the same d_parent and so it will have the same effect when passed to end_creating().

AnalysisAI

Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach NFSD export over network
Delivery
Issue NFSv4 file-create on atomic_create filesystem
Exploit
->atomic_create returns error
Execution
end_creating() receives error pointer
Persist
Parent inode lock never released
Impact
NFS service hangs for clients

Vulnerability AssessmentAI

Exploitation Exploitation requires the NFSD server to export a filesystem whose VFS layer implements the ->atomic_create operation, AND a call to ->atomic_create must return an error during a file-create request - that error path is what fails to unlock the parent inode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An NFS client with access to a server that exports a filesystem implementing ->atomic_create issues a file-creation request crafted to make the underlying ->atomic_create callback fail. The error path in nfsd4_create_file() leaves the parent directory inode locked, so subsequent operations on that directory hang, degrading or denying service to all clients. …
Remediation Upstream fix available (commits e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 and ee1f40759a50b1800c98c1c369afd5b3e44ad987 at git.kernel.org/stable); per EUVD the corrected stable releases are referenced as 7.0.13 and 7.1, so update to your distribution's kernel build that incorporates these commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify which systems export NFS filesystems and determine which support the VFS ->atomic_create operation; establish monitoring for NFS lock contention and service stalls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy