CVE-2026-53244
Received Received - Intake
VFS dentry reference leak in Linux kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfsd4_create_file() atomic_create() in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentry_create() so that it will drop the reference if an error is returned from atomic_create(), though not if vfs_create() returns an error (in the case where ->atomic_create is not supported). The caller - nfsd4_create_file() - is made aware of this by checking path->dentry, which will either be a counted reference to a dentry, or an error pointer. However the change to use start_creating()/end_creating() (which landed shortly before the dentry_create() change landed, though was likely developed around the same time) means that nfsd4_create_file() *needs* a valid dentry so that it can unlock the parent. The net result is that if NFSD exports a filesystem which uses ->atomic_create, and if a call to ->atomic_create returns an error, then nfsd4_create_file() will pass an error pointer to end_creating() and the parent will not be unlocked. Fix this by changing dentry_create() to make sure path->dentry is always a valid dentry, never an error-pointer. The actual error is already returned a different way. Note that if ->atomic_create() returns a different dentry (which may not be possible in practice) we are guaranteed (because it is only ever provided by d_spliace_alias()) that it will have the same d_parent and so it will have the same effect when passed to end_creating().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53244
EUVD
EUVD-2026-39195
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NFS server code, specifically in the function nfsd4_create_file(). It involves improper handling of error conditions when creating files using the atomic_create() method.

When atomic_create() returns an error, it drops the reference to a directory entry (dentry). The nfsd4_create_file() function expects a valid dentry to unlock the parent directory properly. However, due to changes involving start_creating() and end_creating(), if atomic_create() returns an error, nfsd4_create_file() may receive an error pointer instead of a valid dentry, causing the parent directory to remain locked.

This can lead to a failure to unlock the parent directory, potentially causing resource locking issues in the filesystem.

Impact Analysis

The vulnerability can cause the parent directory in an NFS-exported filesystem to remain locked if an error occurs during file creation. This failure to unlock can lead to resource locking problems, which might affect filesystem stability or availability.

In practical terms, this could result in delays, hangs, or failures in file operations over NFS, potentially impacting system performance or causing denial of service conditions in environments relying on NFS.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart