Improper control of a resource through its lifetime in Linux kernel - CVE-2026-45983
Published: May 28, 2026
Vulnerability identifier: #VU132508
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45983
CWE-ID: CWE-664
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in nfs4 compound request handling when processing v4 request compound arguments that trigger idmap lookup upcalls. A remote user can send a crafted NFSv4 request to cause a denial of service.
When idmap lookup upcall responses are delayed beyond the allowed time limit, the request can be dropped before the compound response is encoded, leaving the session slot marked as in use and causing subsequent client requests to fail with NFSERR_JUKEBOX.
How to mitigate CVE-2026-45983
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd
- https://git.kernel.org/stable/c/243f71ed873ff3feeb6f9b5cb145d63f7188b4c4
- https://git.kernel.org/stable/c/3a72c7dedc99b321e0f267e4e999e5baf07c4593
- https://git.kernel.org/stable/c/8dff54fe88c0dcd4c55bff9fc2fa6ca968290826
- https://git.kernel.org/stable/c/99e17b20fddac19a228d213e00f6b9e1c10daff9
- https://git.kernel.org/stable/c/b9abb760db20504240a7147f27934d900cd80b23
- https://git.kernel.org/stable/c/d75ec4504a4340b033b15cad0303988b3089dd93
- https://git.kernel.org/stable/c/f9c206cdc4266caad6a9a7f46341420a10f03ccb