CVE-2026-23297

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsd nl threads set doit().

syzbot reported memory leak of struct cred. [0]

nfsd nl threads set doit() passes get current cred() to nfsd svc(), but put cred() is not called after that.

The cred is finally passed down to svc xprt create(), which calls get cred() with the cred for struct svc xprt.

The ownership of the refcount by get current cred() is not transferred to anywhere and is just leaked.

nfsd svc() is also called from write threads(), but it does not bump file->f cred there.

nfsd nl threads set doit() is called from sendmsg() and current->cred does not go away.

Let's use current cred() in nfsd nl threads set doit().

[0]: BUG: memory leak unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleak alloc recursive include/linux/kmemleak.h:44 [inline] slab post alloc hook mm/slub.c:4958 [inline] slab alloc node mm/slub.c:5263 [inline] kmem cache alloc noprof+0x412/0x580 mm/slub.c:5270 prepare creds+0x22/0x600 kernel/cred.c:185 copy creds+0x44/0x290 kernel/cred.c:286 copy process+0x7a7/0x2870 kernel/fork.c:2086 kernel clone+0xac/0x6e0 kernel/fork.c:2651 do sys clone+0x7f/0xb0 kernel/fork.c:2792 do syscall x64 arch/x86/entry/syscall 64.c:63 [inline] do syscall 64+0xa4/0xf80 arch/x86/entry/syscall 64.c:94 entry SYSCALL 64 after hwframe+0x77/0x7f