SB2026052895 - Improper control of a resource through its lifetime in Linux kernel nfsd



SB2026052895 - Improper control of a resource through its lifetime in Linux kernel nfsd

Published: May 28, 2026

Security Bulletin ID SB2026052895
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45983)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper state management in nfs4 compound request handling when processing v4 request compound arguments that trigger idmap lookup upcalls. A remote user can send a crafted NFSv4 request to cause a denial of service.

When idmap lookup upcall responses are delayed beyond the allowed time limit, the request can be dropped before the compound response is encoded, leaving the session slot marked as in use and causing subsequent client requests to fail with NFSERR_JUKEBOX.


Remediation

Install update from vendor's website.