CVE-2026-23297Missing Release of Resource after Effective Lifetime in Linux

CWE-772Missing Release of Resource after Effective Lifetime8 documents7 sources
Severity
5.5MEDIUM
No vector
EPSS
0.0%
top 93.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LinuxLinux Kernel
Timeline
PublishedMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred for struct svc_xprt. The ownership of the refcount by get_current_cred() is not transferred to anywhere and is just leaked.

Affected Packages3 packages

Linuxlinux/linux_kernel6.10.06.12.77+2
Debianlinux/linux_kernel< 6.19.8-1
CVEListV5linux/linux924f4fb003ba114c60b3c07a011dcd86a8956cd141170716421c25cd20b39e83f0e0762e212b377b+4

🔴Vulnerability Details

4
CVEList
nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().2026-03-25
GHSA
GHSA-pxcg-3rj5-5gx5: In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()2026-03-25
OSV
CVE-2026-23297: In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()2026-03-25
OSV
nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().2026-03-25

📋Vendor Advisories

2
Red Hat
kernel: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit()2026-03-25
Debian
CVE-2026-23297: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix c...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23297 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23297 — Linux vulnerability | cvebase