{ "threat_severity" : "Low", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()", "id" : "2451226", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451226" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-772", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\nsyzbot reported memory leak of struct cred. [0]\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\ncomm \"syz-executor\", pid 5994, jiffies 4294943386\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 369454a7):\nkmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\nslab_post_alloc_hook mm/slub.c:4958 [inline]\nslab_alloc_node mm/slub.c:5263 [inline]\nkmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\nprepare_creds+0x22/0x600 kernel/cred.c:185\ncopy_creds+0x44/0x290 kernel/cred.c:286\ncopy_process+0x7a7/0x2870 kernel/fork.c:2086\nkernel_clone+0xac/0x6e0 kernel/fork.c:2651\n__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f", "A flaw was found in the Linux kernel's nfsd component. A local user could exploit this vulnerability due to a missing `put_cred()` call in the `nfsd_nl_threads_set_doit()` function. This oversight leads to a memory leak of `struct cred` objects, which can result in a denial of service by exhausting available memory resources." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23297\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23297\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23297-bcad@gregkh/T" ], "name" : "CVE-2026-23297", "csaw" : false }