Yang Erkun

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc6+ **Description** A memory leak vulnerability has been resolved in the Linux kernel. The issue occurs when concurrent nfsd4 open requests are made, causing the nfsd to lose track of nfs4 openowner, leading to a memory leak. This situation can happen when two rpc task attempt to open the same file simultaneously from the client to the server, and two instances of nfsd run concurrently. Additionally, when echoing 0 to /proc/fs/nfsd/threads, a warning will be triggered. **Recommendations** For Linux kernel versions prior to 6.12.0-rc6+, update to a newer version that contains the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable nfsd module to minimize the risk of exploitation. Avoid using the `nfsd4 open` function in the affected API endpoint until the issue is resolved. Restrict the use of the `umount -f` command to prevent the memory leak.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc3+ **Description** A vulnerability in the Linux kernel has been resolved, related to the SUNRPC module. The function `c show` was called with protection from RCU, which only ensures that `cp` will not be freed. However, the reference count for `cp` can drop to zero, triggering a refcount use-after-free warning when `cache get` is called. To resolve this issue, `cache get rcu` is used to ensure that `cp` remains active. This vulnerability can cause a use-after-free warning, as seen in the call trace. **Recommendations** To resolve this issue, update to a version of the Linux kernel that includes the fix, which ensures that `cp` remains active by using `cache get rcu`. As a temporary workaround, consider disabling the `c show` function until a patch is available. Restrict access to the SUNRPC module to minimize the risk of exploitation. Avoid using the `cache get` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc3+ **Description** A vulnerability has been resolved in the Linux kernel. The issue arises from the function `e show` being called with protection from RCU, which only ensures that `exp` will not be freed. However, the reference count for `exp` can drop to zero, triggering a refcount use-after-free warning when `exp get` is called. To resolve this issue, `cache get rcu` is used to ensure that `exp` remains active. The vulnerability is related to the `nfsd` module and the `svc export show` function. Technical details include the `e show` function and the `exp` variable, as well as the `cache get rcu` function used to resolve the issue. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix, which ensures that `exp` remains active by using `cache get rcu`. As a temporary workaround, consider restricting access to the vulnerable `nfsd` module until a patch is available. Avoid using the `e show` function in the affected `nfsd` module until the issue is resolved. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free problem in the asynchronous open() function of NFSv4.0 has been resolved. This issue occurs when two threads are opening files at the same time and are forced to abort before a reply is seen, resulting in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix ensures that if the RPC call is aborted before the call to `nfs wait on sequence()` is complete, then `nfs release seqid()` is called in `nfs4 open release()` before the `rpc task` is freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.