{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22989", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.937Z", "datePublished": "2026-01-23T15:24:10.523Z", "dateUpdated": "2026-05-11T21:57:50.971Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:50.971Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: check that server is running in unlock_filesystem\n\nIf we are trying to unlock the filesystem via an administrative\ninterface and nfsd isn't running, it crashes the server. This\nhappens currently because nfsd4_revoke_states() access state\nstructures (eg., conf_id_hashtbl) that has been freed as a part\nof the server shutdown.\n\n[ 59.465072] Call trace:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nEnsure this can't happen by taking the nfsd_mutex and checking that\nthe server is still up, and then holding the mutex across the call to\nnfsd4_revoke_states()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfs4state.c", "fs/nfsd/nfsctl.c", "fs/nfsd/state.h"], "versions": [{"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17", "lessThan": "d95499900fe52f3d461ed26b7a30bebea8f12914", "status": "affected", "versionType": "git"}, {"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17", "lessThan": "e06c9f6c0f554148d4921c2a15bd054260a054ac", "status": "affected", "versionType": "git"}, {"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17", "lessThan": "d0424066fcd294977f310964bed6f2a487fa4515", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfs4state.c", "fs/nfsd/nfsctl.c", "fs/nfsd/state.h"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.66", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.66"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914"}, {"url": "https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac"}, {"url": "https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515"}], "title": "nfsd: check that server is running in unlock_filesystem", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "49616A55-2473-4303-ADBB-059630B30A6F", "versionEndExcluding": "6.12.66", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: check that server is running in unlock_filesystem\n\nIf we are trying to unlock the filesystem via an administrative\ninterface and nfsd isn't running, it crashes the server. This\nhappens currently because nfsd4_revoke_states() access state\nstructures (eg., conf_id_hashtbl) that has been freed as a part\nof the server shutdown.\n\n[ 59.465072] Call trace:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nEnsure this can't happen by taking the nfsd_mutex and checking that\nthe server is still up, and then holding the mutex across the call to\nnfsd4_revoke_states()."}], "id": "CVE-2026-22989", "lastModified": "2026-02-26T18:51:04.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:54.970", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfsd: check that server is running in unlock_filesystem", "id": "2432374", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432374"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22989", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22989\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22989\nhttps://lore.kernel.org/linux-cve-announce/2026012350-CVE-2026-22989-06be@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:54:50.531998+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that includes the patch for the nfsd use\u2011after\u2011free bug.", "Restart the system to ensure the updated kernel and NFS service initialize correctly.", "As a temporary measure, refrain from running the NFS unlock command while the NFS server is stopped; confirm that the nfsd daemon is active before issuing administrative unlock operations."], "summary": {"action": "Patch", "impact": "Denial of Service (Server Crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Linux kernel releases that include the nfsd code path, specifically the 6.19\u2011rc1 through 6.19\u2011rc4 releases and any later kernel builds that did not apply the patch. All Linux distributions running these kernels are potentially affected.", "description_and_impact": "An administrative NFS filesystem unlock operation can crash the NFS daemon when the server is not running. The crash is caused by a use\u2011after\u2011free bug in the nfsd4_revoke_states() function, which accesses a state structure that has already been freed during server shutdown. The resulting kernel panic terminates the NFS service and disrupts all clients that rely on that share.", "risk_and_exploitability": "The problem carries a CVSS score of 5.5, indicating a moderate severity. The EPSS score is less than 1%, meaning exploitability is judged to be low in the broader ecosystem. The issue has not been listed in the CISA KEV catalog. Because the bug is triggered by an administrative unlock command executed while nfsd is not running, it likely requires local privileged access, limiting the attack surface. Nevertheless, a privileged attacker can induce a denial\u2011of\u2011service by repeatedly triggering the crash, potentially causing availability issues for the affected system."}}}}, "created": "2026-04-18T19:00:08.041723+00:00", "updated": "2026-04-18T19:00:08.041735+00:00", "vendors": []}