CVE-2026-43394 Overview
CVE-2026-43394 is a credential reference count leak in the Linux kernel's NFS server (nfsd) subsystem. The flaw resides in nfsd_nl_listener_set_doit(), which calls get_current_cred() without a matching put_cred(). Each invocation increments the credential structure's reference count without ever releasing it, producing a slow resource leak in the kernel's credential tracking.
The upstream Linux kernel maintainers have resolved the issue by replacing get_current_cred() with current_cred(), since svc_xprt_create_from_sa() does not require the extra reference and current->cred remains valid in the process context of sendmsg().
Critical Impact
Repeated calls to the netlink listener configuration handler leak credential references, potentially exhausting kernel memory or triggering reference counter wraparound conditions over extended periods.
Affected Products
- Linux kernel versions containing the nfsd_nl_listener_set_doit() netlink handler
- Distributions shipping the affected nfsd netlink interface
- Systems exposing NFS server configuration via netlink to privileged user space
Discovery Timeline
- 2026-05-08 - CVE-2026-43394 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43394
Vulnerability Analysis
The Linux kernel uses reference counting on struct cred to track credential lifetime across asynchronous and synchronous code paths. The function get_current_cred() returns the current task's credentials and increments the reference count, requiring a corresponding put_cred() to release it.
In nfsd_nl_listener_set_doit(), the kernel obtains the caller's credentials before invoking svc_xprt_create_from_sa() to create an NFS service transport. However, the function never releases the acquired reference. Each netlink call to configure an nfsd listener therefore leaks one credential reference.
The fix substitutes current_cred(), a non-refcounting accessor that is safe to use in process context. Because nfsd_nl_listener_set_doit() always runs in the context of a sendmsg() system call from user space, current->cred cannot disappear during the call, making the additional reference unnecessary.
Root Cause
The root cause is an imbalance between credential acquisition and release. The caller invoked the refcounting variant get_current_cred() when the non-refcounting accessor current_cred() was sufficient, and never paired the acquisition with put_cred(). This is a classic memory leak pattern [CWE-401] applied to kernel credential structures.
Attack Vector
Triggering the leak requires the ability to send netlink messages to the nfsd family, which is generally restricted to privileged user space. A local privileged user, or a compromised process with CAP_NET_ADMIN and CAP_SYS_ADMIN, could repeatedly invoke the nfsd listener set operation to accumulate leaked credential references. The vulnerability is not remotely reachable and does not directly grant code execution.
The technical details and patch commits are available in the Linux Kernel Commit 019debe5, Linux Kernel Commit 02e87ec0, Linux Kernel Commit 92978c83, and Linux Kernel Commit cba41376.
Detection Methods for CVE-2026-43394
Indicators of Compromise
- Steadily growing kernel cred_jar slab cache usage in /proc/slabinfo without a corresponding rise in active tasks.
- Repeated netlink messages to the nfsd generic netlink family invoking the listener set operation from a single process.
- Unexplained kernel memory growth on systems running NFS server workloads with frequent listener reconfiguration.
Detection Strategies
- Monitor slabtop output for abnormal growth in the cred_jar slab over time on NFS server hosts.
- Audit netlink traffic using auditd rules targeting the nfsd netlink family to identify processes performing listener configuration operations.
- Compare running kernel versions against distribution advisories listing the fix commits for CVE-2026-43394.
Monitoring Recommendations
- Collect kernel slab cache metrics and alert on sustained cred_jar growth that does not correlate with task creation.
- Log invocations of nfsd configuration syscalls to identify processes triggering repeated listener changes.
- Track kernel package versions across the fleet and flag hosts running unpatched nfsd code paths.
How to Mitigate CVE-2026-43394
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits and reboot affected NFS server hosts.
- Restrict CAP_SYS_ADMIN and CAP_NET_ADMIN to trusted administrators on systems running nfsd.
- Inventory all hosts exporting NFS shares to confirm patch coverage across the environment.
Patch Information
The Linux kernel maintainers have merged fixes that replace get_current_cred() with current_cred() in nfsd_nl_listener_set_doit(). The change is present in the stable kernel commits 019debe5851d, 02e87ec0bc70, 92978c83bb4e, and cba413765376. Apply the kernel update provided by your Linux distribution that incorporates these commits.
Workarounds
- Disable or unload the nfsd kernel module on systems that do not require NFS server functionality.
- Restrict access to the nfsd netlink family through Linux Security Modules such as SELinux or AppArmor policies.
- Limit the set of users and services permitted to reconfigure NFS listeners until the patched kernel is deployed.
# Verify the running kernel version and confirm patch presence
uname -r
# On Debian/Ubuntu systems, update to a patched kernel package
sudo apt update && sudo apt upgrade linux-image-$(uname -r | cut -d- -f3-)
# On RHEL/Fedora systems
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
