CVE-2022-50861

What the vulnerability is

In the Linux kernel, the NFSv2 GETACL result encoder was not fully converted to the xdr_stream interface, leaving a remnant that set the page_len of the send buffer [1][2]. The XDR stream encoders are supposed to handle this automatically, but this oversight resulted in garbage data being appended past the end of the NFS Reply message [1][2].

How it's exploited

An NFS client issuing a GETACL request to an NFSD server running an affected kernel would receive a Reply that contains the intended ACL data followed by extra bytes of stale kernel heap memory [1][2]. No authentication or special network position is required beyond the ability to send NFSv2 GETACL requests and receive the corresponding responses.

Impact

This flaw leaks stale memory contents onto the network wire. While many clients may ignore the trailing garbage, an adversary positioned between the server and client (or able to capture the network traffic) could retrieve fragments of kernel memory, potentially exposing sensitive information such as encryption keys, file data, or other privileged kernel state [1][2].

Mitigation

The fix was committed to the Linux kernel stable tree, converting the encoder completely to xdr_stream and removing the stale page_len assignment [1][2]. System administrators should apply the corresponding kernel update to stop the memory leak. No workaround is available; upgrading the kernel is the only mitigation.