CVE-2026-23038

Vulnerability

A memory leak vulnerability exists in the nfs4_ff_alloc_deviceid_node() function of the Linux kernel's pNFS flexfiles layout driver. When the function successfully allocates the dsaddrs list but subsequently fails to allocate the ds_versions array, the error handling path jumps to the out_scratch label, which frees the scratch buffer but does not free the already allocated dsaddrs list. This oversight causes the memory occupied by dsaddrs to be leaked (Reference [1], [2], [3], [4]).

Exploitation

The vulnerability is triggered during the processing of NFSv4.1 pNFS operations when the client receives device ID information from the server. An attacker with the ability to affect the allocation result (e.g., by exhausting memory on the client or by sending crafted responses that cause the ds_versions allocation to fail) can cause repeated invocation of the buggy code path. No authentication is required beyond the ability to mount an NFS share using the flexfiles layout, which is a standard client-server interaction.

Impact

Successful exploitation leads to a continuous memory leak on the affected NFS client. Over time, repeated triggering can exhaust the system's memory, resulting in denial-of-service conditions such as system instability, OOM (out-of-memory) killer activation, or crash. Linux kernel vulnerability.

Mitigation

The fix modifies the error handling in nfs4_ff_alloc_deviceid_node() to jump to a newly introduced out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. The fix has been backported to multiple stable kernel branches (References [1], [2], [3], [4]). Users should apply the latest kernel updates from their distribution or mainline. No workaround is available other than avoiding use of the flexfiles layout.