CVE-2026-45964 Linux CVE debrief

Who should care

System administrators running Linux NFS clients or servers with Kerberos/GSSAPI authentication enabled; kernel maintainers and distribution packagers; security teams monitoring for kernel memory exhaustion conditions

Technical summary

The vulnerability exists in the SUNRPC GSS authentication implementation within the Linux kernel. The function gss_alloc_msg() takes a reference on the gss_auth structure via kref_get() to balance a later gss_put_auth() in gss_release_msg(). However, if kstrdup_const() fails to duplicate the service_name string, the error path err_put_pipe_version calls put_pipe_version() and kfree(gss_msg) but never releases the gss_auth reference. This results in a kref leak where the gss_auth structure accumulates unreleased references and is never freed, causing kernel memory exhaustion over time. The fix adds a forward declaration for gss_free_callback() and inserts kref_put() in the error path to properly release the reference.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor kernel memory usage on systems using NFS with Kerberos/GSSAPI authentication for unexpected growth
• Review system logs for memory pressure indicators on long-running NFS client or server systems
• Prioritize patching on systems where NFS services with GSSAPI authentication cannot be easily restarted

Evidence notes

The vulnerability description identifies the specific function gss_alloc_msg() in the Linux kernel's SUNRPC GSS authentication code. The flaw involves a missing kref_put() call in the err_put_pipe_version error path when kstrdup_const() fails. Multiple stable kernel commits are referenced, indicating fixes were backported across kernel versions.

Official resources