CVE-2026-43394 Linux CVE debrief

Who should care

Linux system administrators operating NFS servers; security teams managing kernel attack surface; organizations with strict memory resource constraints on file server infrastructure

Technical summary

The nfsd_nl_listener_set_doit() function in the Linux kernel's NFS server implementation incorrectly used get_current_cred() to obtain the current task's credentials without releasing the reference via put_cred(). This caused a credential structure leak on each netlink listener configuration operation. Since the function executes only in process context during sendmsg() handling, current->cred does not require reference counting protection. The fix substitutes current_cred() which returns the credential pointer without incrementing the reference count. Affected versions span 6.10 through 6.12.77, 6.13 through 6.18.18, 6.19 through 6.19.8, and 7.0-rc1/rc2. Exploitation requires local privileges to invoke the netlink interface, with impact limited to availability degradation through memory exhaustion rather than confidentiality or integrity compromise.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches: 6.12.78+, 6.18.19+, 6.19.9+, or 7.0-rc3+
• Monitor systems running NFS server with netlink listener configuration for unusual memory consumption
• Restrict local access to NFS server configuration interfaces to trusted administrators
• Upgrade to patched kernel version once available through distribution channels

Evidence notes

Official CVE record published 2026-05-08; NVD analysis added 2026-05-26. Kernel patches available for affected stable branches. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with low complexity.

Official resources