{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22980", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.936Z", "datePublished": "2026-01-23T15:24:02.924Z", "dateUpdated": "2026-05-11T21:57:40.292Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:40.292Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op->init() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn't require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn't restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn->client_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/netns.h", "fs/nfsd/nfs4state.c", "fs/nfsd/nfsctl.c", "fs/nfsd/state.h"], "versions": [{"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "ca97360860eb02e3ae4ba42c19b439a0fcecbf06", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "e8bfa2401d4c51eca6e48e9b33c798828ca9df61", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "34eb22836e0cdba093baac66599d68c4cd245a9d", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "06600719d0f7a723811c45e4d51f5b742f345309", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "ba4811c8b433bfa681729ca42cc62b6034f223b0", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "53f07d095e7e680c5e4569a55a019f2c0348cdc6", "status": "affected", "versionType": "git"}, {"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6", "lessThan": "2857bd59feb63fcf40fe4baf55401baea6b4feb4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/netns.h", "fs/nfsd/nfs4state.c", "fs/nfsd/nfsctl.c", "fs/nfsd/state.h"], "versions": [{"version": "3.18", "status": "affected"}, {"version": "0", "lessThan": "3.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.248", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.198", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.161", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.121", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.66", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "5.10.248"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "5.15.198"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.1.161"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.6.121"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.12.66"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"}, {"url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"}, {"url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"}, {"url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"}, {"url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"}, {"url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"}, {"url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"}], "title": "nfsd: provide locking for v4_end_grace", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "80713135-E43D-4026-BAD5-679983AB1EC0", "versionEndExcluding": "5.10.248", "versionStartIncluding": "3.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E", "versionEndExcluding": "5.15.198", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE", "versionEndExcluding": "6.1.161", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C", "versionEndExcluding": "6.6.121", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0", "versionEndExcluding": "6.12.66", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op->init() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn't require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn't restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn->client_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfsd: proporcionar bloqueo para v4_end_grace\n\nEscribir en v4_end_grace puede competir con el apagado del servidor y resultar en que la memoria sea accedida despu\u00e9s de haber sido liberada - reclaim_str_hashtbl en particular.\n\nNo podemos mantener nfsd_mutex durante la llamada a nfsd4_end_grace() ya que se mantiene mientras se llama a client_tracking_op->init() y eso puede esperar una llamada ascendente a nfsdcltrack que puede escribir en v4_end_grace, resultando en un interbloqueo.\n\nnfsd4_end_grace() tambi\u00e9n es llamada por la cola de trabajo 'landromat' y esto no requiere bloqueo ya que el apagado del servidor detendr\u00e1 el trabajo y esperar\u00e1 por \u00e9l antes de liberar cualquier cosa a la que nfsd4_end_grace() pudiera acceder.\n\nSin embargo, debemos asegurarnos de que escribir en v4_end_grace no reinicie el elemento de trabajo despu\u00e9s de que el apagado ya lo haya esperado. Para esto a\u00f1adimos una nueva bandera protegida con nn->client_lock. Se establece solo mientras es seguro realizar llamadas de seguimiento de cliente, y v4_end_grace solo programa trabajo mientras la bandera est\u00e1 establecida con el spinlock mantenido.\n\nAs\u00ed, este parche a\u00f1ade un campo nfsd_net 'client_tracking_active' que se establece como se describe. Otro campo 'grace_end_forced', se establece cuando se escribe en v4_end_grace. Despu\u00e9s de que esto se establece, y siempre que client_tracking_active est\u00e9 establecido, el 'laundromat' es programado. Este campo 'grace_end_forced' omite otras comprobaciones para determinar si el per\u00edodo de gracia ha terminado.\n\nEsto resuelve una condici\u00f3n de carrera que puede resultar en uso despu\u00e9s de liberaci\u00f3n."}], "id": "CVE-2026-22980", "lastModified": "2026-04-27T14:16:27.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:54.003", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfsd: provide locking for v4_end_grace", "id": "2432385", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432385"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22980\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22980\nhttps://lore.kernel.org/linux-cve-announce/2026012347-CVE-2026-22980-6031@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:55:38.884474+00:00", "value": {"mitigation_remediation": ["Deploy a kernel patch that implements the locking fix described in the changelog.", "If a patch is not immediately available, disable the NFSv4 server or stop all NFS exports until the kernel can be upgraded.", "Restrict NFS service access to trusted users only and limit the ability to initiate server shutdown, reducing the chance that the race condition can be exercised."], "summary": {"action": "Apply Patch", "impact": "Use-After-Free"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux operating system kernel, particularly the 6.19 release candidate series (rc1 through rc4) and all other kernel versions that include the NFS server component. Any system running an unpatched kernel and exposing an NFSv4 server is potentially exposed.", "description_and_impact": "The Linux kernel contains a race condition in the NFS server shutdown routine. During shutdown, the v4_end_grace flag can be written while the server is terminating, causing code to access memory that has already been freed. This results in a use\u2011after\u2011free flaw that can produce a crash or other memory\u2011corruption symptoms. The vulnerability is identified as CWE\u2011416.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would require a way to trigger the NFS server shutdown while the race condition can occur, implying that a privileged or local attacker might be able to exercise the flaw."}}}}, "created": "2026-04-18T19:00:08.042574+00:00", "updated": "2026-04-18T19:00:08.042585+00:00", "vendors": []}