CVE-2025-71090 Overview
A memory leak vulnerability has been identified in the Linux kernel's NFS daemon (nfsd) subsystem. The issue exists within the nfsd4_add_rdaccess_to_wrdeleg() function, which incorrectly handles file reference counting during delegation operations. This flaw can lead to orphaned file references, potential file access conflicts, and ultimately a kernel panic during server shutdown.
Critical Impact
This vulnerability can cause kernel panics via BUG() in kmem_cache_destroy() during server shutdown, potentially affecting system stability and availability for NFS file servers.
Affected Products
- Linux Kernel (nfsd subsystem)
- Systems utilizing NFSv4 delegations with read access
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71090 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71090
Vulnerability Analysis
The vulnerability stems from improper reference counting in the Linux kernel's NFS daemon when handling read access delegations. Specifically, the nfsd4_add_rdaccess_to_wrdeleg() function unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file object without first checking if a reference already exists.
When a client has previously performed a SHARE_ACCESS_READ open operation, this creates an orphaned reference scenario. The existing pointer is overwritten without properly releasing its reference count, leading to memory resources that can never be reclaimed.
The issue is compounded by the function's design flaw where the same nfsd_file pointer is stored in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file while only maintaining a single reference count. During cleanup via put_deleg_file(), the fi_rdeleg_file is cleared and nfs4_file_put_access() is called. However, this function only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the delegation's reference is never properly released.
Root Cause
The root cause is a reference counting logic error in the nfsd4_add_rdaccess_to_wrdeleg() function. The function fails to check for and properly release existing file references before assigning new ones, and incorrectly shares a single reference between two distinct pointer locations that have different lifecycle management.
Attack Vector
The attack vector involves NFS client operations that trigger specific sequences of file open and delegation requests. When a client performs a SHARE_ACCESS_READ open followed by a write delegation with read access addition, the vulnerable code path is triggered. This is primarily a stability and denial-of-service concern rather than a direct security exploitation vector.
The vulnerability manifests through normal NFS operations involving NFSv4 delegations. When these operations occur in specific sequences, the reference leak accumulates and causes the __nfsd_file_cache_purge() function to encounter files with elevated reference counts during server shutdown. This triggers a BUG() in kmem_cache_destroy() because allocated nfsd_file objects remain in the cache, resulting in a kernel panic.
Detection Methods for CVE-2025-71090
Indicators of Compromise
- Kernel log messages indicating elevated reference counts in nfsd_file cache during shutdown
- NFS file access conflicts or permission errors on delegated files
- Kernel panics with stack traces involving kmem_cache_destroy() or __nfsd_file_cache_purge()
- Memory leak warnings related to the nfsd subsystem
Detection Strategies
- Monitor kernel logs for nfsd-related warnings or errors during service restarts
- Implement kernel tracing on nfsd4_add_rdaccess_to_wrdeleg() function calls
- Track nfsd_file object allocations versus deallocations for imbalances
- Use kernel debugging tools to monitor reference counts on fi_fds structures
Monitoring Recommendations
- Enable slab cache debugging to detect object leaks in nfsd_file caches
- Configure alerting on unexpected kernel panics involving kmem_cache operations
- Monitor NFS server stability metrics and unexpected service terminations
- Implement periodic health checks on NFS delegation state
How to Mitigate CVE-2025-71090
Immediate Actions Required
- Apply the kernel patches referenced in the security commits
- Plan maintenance windows for NFS server kernel updates
- Consider temporarily disabling NFSv4 delegations if immediate patching is not possible
- Ensure proper backup and recovery procedures are in place before kernel updates
Patch Information
The Linux kernel development team has released fixes for this vulnerability. The patches are available in the kernel git repository:
- Kernel Git Commit 8072e34e1387d03102b788677d491e2bcceef6f5
- Kernel Git Commit c07dc84ed67c5a182273171639bacbbb87c12175
Organizations should update to kernel versions containing these fixes as soon as feasible.
Workarounds
- Disable NFSv4 delegations by adding appropriate kernel module parameters
- Schedule regular NFS server restarts to prevent reference accumulation
- Limit the number of concurrent NFS clients to reduce delegation activity
- Monitor and gracefully restart the nfsd service before memory issues escalate
# Disable NFSv4 delegations as a temporary workaround
# Add to /etc/modprobe.d/nfsd.conf:
options nfsd nfs4_disable_idmapping=Y
# Or use the deprecated delegation parameter if available in your kernel version
# Restart NFS services after configuration change
systemctl restart nfs-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
