{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23297", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:54.156Z", "dateUpdated": "2026-03-25T10:26:54.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:54.156Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n comm \"syz-executor\", pid 5994, jiffies 4294943386\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 369454a7):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n prepare_creds+0x22/0x600 kernel/cred.c:185\n copy_creds+0x44/0x290 kernel/cred.c:286\n copy_process+0x7a7/0x2870 kernel/fork.c:2086\n kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "41170716421c25cd20b39e83f0e0762e212b377b", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "27c13c5bb0948e3b5c64e59f8a903231896fab9b", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "a3f88e3e18b51a7f654189189c762ebcdeaa7e29", "status": "affected", "versionType": "git"}, {"version": "924f4fb003ba114c60b3c07a011dcd86a8956cd1", "lessThan": "1cb968a2013ffa8112d52ebe605009ea1c6a582c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"}, {"url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"}, {"url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"}, {"url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"}], "title": "nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n comm \"syz-executor\", pid 5994, jiffies 4294943386\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 369454a7):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n prepare_creds+0x22/0x600 kernel/cred.c:185\n copy_creds+0x44/0x290 kernel/cred.c:286\n copy_process+0x7a7/0x2870 kernel/fork.c:2086\n kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "id": "CVE-2026-23297", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1cb968a2013ffa8112d52ebe605009ea1c6a582c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/27c13c5bb0948e3b5c64e59f8a903231896fab9b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41170716421c25cd20b39e83f0e0762e212b377b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3f88e3e18b51a7f654189189c762ebcdeaa7e29"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()", "id": "2451226", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451226"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's nfsd component. A local user could exploit this vulnerability due to a missing `put_cred()` call in the `nfsd_nl_threads_set_doit()` function. This oversight leads to a memory leak of `struct cred` objects, which can result in a denial of service by exhausting available memory resources."], "name": "CVE-2026-23297", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23297\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23297\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23297-bcad@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[924f4fb003ba114c60b3c07a011dcd86a8956cd1,41170716421c25cd20b39e83f0e0762e212b377b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[924f4fb003ba114c60b3c07a011dcd86a8956cd1,27c13c5bb0948e3b5c64e59f8a903231896fab9b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[924f4fb003ba114c60b3c07a011dcd86a8956cd1,a3f88e3e18b51a7f654189189c762ebcdeaa7e29)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[924f4fb003ba114c60b3c07a011dcd86a8956cd1,1cb968a2013ffa8112d52ebe605009ea1c6a582c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:51:42.292067+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel patch that fixes the cred reference leak in nfsd_nl_threads_set_doit().", "Verify that your running kernel includes the commit from the patch, for example by checking the kernel version or reviewing dmesg for the relevant commit hash.", "If immediate kernel upgrades are not possible, consider disabling the NFS daemon or restricting it to trusted clients to reduce repeated leak exploitation.", "Monitor system memory usage for unusual growth patterns that could indicate an unpatched memory leak in the NFS subsystem."], "summary": {"action": "Apply patch", "impact": "Memory Leak"}, "threat_synthesis": {"affected_systems": "Any Linux system running a kernel version that contains the NFS daemon implementation prior to the patch applying current_cred() in nfsd_nl_threads_set_doit() is affected. The CNA has not provided explicit version ranges, so all kernels that have not incorporated this fix are potentially vulnerable.", "description_and_impact": "The vulnerability involves a memory leak of the kernel credential structure (struct cred) within the NFS daemon. During the handling of NFS operations, the function nfsd_nl_threads_set_doit() obtains a credential reference with get_current_cred() and passes it to nfsd_svc() without releasing it. The unreleased reference remains in the kernel, causing the credential object to accumulate over time and unnecessarily consume kernel memory.", "risk_and_exploitability": "With a CVSS score of 5.5 the issue is rated as moderate severity. The EPSS score is below 1%, indicating a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves normal NFS activity such as sendmsg or write_threads that invoke nfsd_nl_threads_set_doit(), so exposure exists in environments where the NFS service is reachable from potentially untrusted clients. The memory leak could lead to incremental kernel memory consumption, but the CVE description does not explicitly state that this would result in a denial\u2011of\u2011service. The attack is local or network based depending on the NFS server exposure."}}}}, "created": "2026-03-25T21:15:33.331948+00:00", "updated": "2026-03-26T12:16:59.266220+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}