CVE-2026-23297
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel nfsd Component Due to Cred Mismanagement

Publication date: 2026-03-25

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt. The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked. nfsd_svc() is also called from write_threads(), but it does not bump file->f_cred there. nfsd_nl_threads_set_doit() is called from sendmsg() and current->cred does not go away. Let's use current_cred() in nfsd_nl_threads_set_doit(). [0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 prepare_creds+0x22/0x600 kernel/cred.c:185 copy_creds+0x44/0x290 kernel/cred.c:286 copy_process+0x7a7/0x2870 kernel/fork.c:2086 kernel_clone+0xac/0x6e0 kernel/fork.c:2651 __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23297
EUVD
EUVD-2026-15231
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.10 (inc) to 6.12.77 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel's NFS daemon (nfsd). Specifically, the function nfsd_nl_threads_set_doit() calls get_current_cred() to obtain a credential reference but fails to properly release it with put_cred(), causing the credential reference count to leak.

The leaked credential reference is passed down through various functions without transferring ownership, resulting in unreleased memory. This issue was reported by syzbot and fixed by ensuring the correct use of current_cred() in nfsd_nl_threads_set_doit().

Impact Analysis

The impact of this vulnerability is a memory leak in the Linux kernel's NFS daemon. Over time, this leak can cause increased memory usage, potentially leading to resource exhaustion on the affected system.

Resource exhaustion may degrade system performance or cause instability, especially on systems with heavy NFS usage or limited memory resources.

Detection Guidance

This vulnerability involves a memory leak of struct cred in the Linux kernel's nfsd component. Detection would typically require monitoring for memory leaks related to credential references in the kernel.

One approach is to use kernel memory leak detection tools such as kmemleak to identify unreferenced objects related to credentials.

A command to enable and check kmemleak could be:

  • echo scan > /sys/kernel/debug/kmemleak
  • cat /sys/kernel/debug/kmemleak

These commands trigger a scan for memory leaks and then display any detected leaks, which may include the leaked cred structures described in this vulnerability.

Mitigation Strategies

The vulnerability is fixed by correcting the reference counting of credentials in the nfsd_nl_threads_set_doit() function in the Linux kernel.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider limiting or disabling NFS server functionality temporarily to reduce exposure.
  • Monitor system logs and memory usage for unusual behavior that might indicate exploitation or resource exhaustion.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23297. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart