CVE-2026-53026
Received Received - Intake
Memory Corruption in Linux Kernel NFS Server

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already set by another thread, __nfs4_file_get_access should not be called to increment the nfs4_file access count since that was already done by the thread that added READ access to the file. The extra fi_access count in nfs4_file can prevent the corresponding nfsd_file from being freed. When stopping nfs-server service, these extra access counts trigger a BUG in kmem_cache_destroy() that shows nfsd_file object remaining on __kmem_cache_shutdown. This problem can be reproduced by running the Git project's test suite over NFS.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53026
EUVD
EUVD-2026-38894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NFS server (NFSD) code, specifically in the function nfsd4_add_rdaccess_to_wrdeleg. The issue arises when a file's read access count is incremented more than once by different threads due to improper handling of access counts.

If the file pointer's read-only descriptor is already set by another thread, the function __nfs4_file_get_access should not increment the access count again. However, in this vulnerability, it does, causing an extra access count to be added.

This extra access count prevents the corresponding nfsd_file object from being freed properly. When the NFS server service is stopped, these extra counts cause a BUG in the kernel memory cache destruction process (kmem_cache_destroy), leaving nfsd_file objects lingering during shutdown.

The problem can be reproduced by running the Git project's test suite over NFS.

Impact Analysis

This vulnerability can cause resource leaks in the Linux kernel's NFS server by preventing certain nfsd_file objects from being freed properly.

When stopping the NFS server service, the extra access counts trigger a kernel BUG during memory cache destruction, which could lead to system instability or crashes.

Such instability may affect the availability and reliability of NFS services on affected systems.

Detection Guidance

This vulnerability relates to an extra access count in nfs4_file within the Linux kernel's NFS server implementation, which can cause a BUG in kmem_cache_destroy() when stopping the nfs-server service.

Detection can involve monitoring for BUG messages related to kmem_cache_destroy() and nfsd_file objects during the shutdown of the nfs-server service.

Additionally, reproducing the issue can be done by running the Git project's test suite over NFS, which triggers the problem.

However, no specific commands or network detection methods are provided in the available information.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the nfsd4_add_rdaccess_to_wrdeleg function to prevent extra access counts.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.

Until the update is applied, carefully managing the nfs-server service and monitoring for BUG messages during shutdown may help identify issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart