CVE-2025-40212
Description
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix refcount leak in nfsd_set_fh_dentry()
nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem.
If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service.
Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle.
To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a refcount leak in nfsd_set_fh_dentry() causes a use-after-free when NFSv2/v3 clients send crafted filehandles from the pseudo root filesystem, leading to a denial of service.
Vulnerability
Analysis
The Linux kernel's NFS server (nfsd) exposes a "pseudo root filesystem" for NFSv4 clients to locate exported filesystems via LOOKUP requests. NFSv2 and v3 clients are not supposed to use this pseudo root, as they rely on the MOUNT protocol. However, in nfsd_set_fh_dentry(), if an NFSv2/v3 client supplies a filehandle referencing the pseudo root filesystem, the function returns an error but still stores the export reference in struct svc_fh before dropping it with exp_put(). This mismanagement of reference counts leads to an extra exp_put() call when fh_put() is later invoked, causing a use-after-free condition [1][2][3].
Exploitation
Scenario
Normal NFS operation does not involve NFSv2/v3 clients using pseudo root filehandles; the bug is triggered only when a client intentionally or accidentally crafts an incorrect filehandle that points to the pseudo root filesystem. The attacker must be able to send NFS requests to the server, which typically requires network access. No authentication is necessary because the vulnerability occurs during filehandle processing, before access control checks are fully applied.
Impact
A successful exploit can result in a use-after-free on the export structure, potentially leading to kernel memory corruption. The primary impact is a denial of service (system crash or hang), though under precise conditions further compromise might be possible.
Mitigation
The fix moves the assignment of export and dentry pointers to struct svc_fh to after all error checks, preventing the reference leak. Patched versions are available in the stable kernel branches indicated in the commit references [1][2][3]. Administrators should apply the kernel update promptly.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3b6bc86ce3944c83d7365cec58a7348a9ed70Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.