CVE-2023-54276
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux NFSd Reply Cache Stats

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54276
EUVD
EUVD-2023-60528
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's NFS daemon (nfsd). It occurs because the initialization of certain per-CPU reply cache statistics counters was moved to a later stage (nfsd startup) but can be accessed earlier (before nfsd starts). If an unprivileged user accesses /proc/fs/nfsd/reply_cache_stats while nfsd is not started, it can cause a kernel oops (crash) on some architectures, especially non-x86_64 ones like aarch64. The fix was to move the initialization of these counters back to an earlier stage (nfsd_init_net) to prevent this issue.


How can this vulnerability impact me? :

This vulnerability can cause a kernel crash (NULL pointer dereference) when an unprivileged user accesses the reply cache statistics file in /proc/fs/nfsd while the NFS daemon is not running. This can lead to system instability or denial of service on affected systems, particularly on non-x86_64 architectures.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the /proc/fs/nfsd/reply_cache_stats file is accessible while the nfsd service is not started, especially on non-x86_64 architectures. An unprivileged user triggering the command `cat /proc/fs/nfsd/reply_cache_stats` when nfsd is shut down can cause a NULL pointer dereference, indicating the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include ensuring that the nfsd service is started before allowing access to /proc/fs/nfsd/reply_cache_stats, or restricting access to this proc file to privileged users only. Additionally, applying the patch that moves the initialization of the per-net and per-cpu reply-cache counters back into nfsd_init_net as described in the fix will resolve the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart