PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45983 Linux CVE debrief

A vulnerability in the Linux kernel's NFSv4 server (nfsd) could cause persistent session slot exhaustion, leading to denial of service for NFSv4 clients. The issue occurs when idmap lookup upcalls during compound request decoding exceed time limits, triggering improper request deferral that leaves session slots permanently marked as in-use.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux NFSv4 servers, particularly those with identity mapping (idmap) configurations that may experience latency. Affected systems include those serving NFSv4 workloads where session slot exhaustion would impact client availability. Priority should be given to environments with high-concurrency NFSv4 access or strict availability requirements.

Technical summary

The Linux kernel NFSv4 server implementation contains a flaw in compound request processing. During v4 request compound argument decoding, operations such as SETATTR can trigger idmap lookup upcalls. When these upcall responses exceed the allowed time limit, cache_check() marks the request for deferral and causes it to be dropped. This prevents nfs4svc_encode_compoundres from executing, leaving the session slot flag NFSD4_SLOT_INUSE uncleared. Subsequent client requests fail with NFSERR_JUKEBOX because the SEQUENCE operation detects the slot as still in-use. The fix ensures RQ_USEDEFERRAL is always cleared during nfs4svc_decode_compoundargs(), preventing any v4 request deferral.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
  • Monitor NFSv4 server logs for NFSERR_JUKEBOX errors indicating potential session slot exhaustion
  • Consider implementing NFSv4 session monitoring to detect clients experiencing repeated SEQUENCE operation failures
  • Review idmap configuration to minimize upcall latency as a risk reduction measure until patching
  • Prioritize patching on systems serving NFSv4 workloads with high concurrency or strict availability requirements

Evidence notes

The vulnerability description indicates this is a logic error in NFSv4 request handling where the RQ_USEDEFERRAL flag was not properly cleared during compound argument decoding. The fix ensures no v4 requests are deferred, preventing the session slot flag NFSD4_SLOT_INUSE from remaining set indefinitely. Multiple stable kernel branch commits are referenced, indicating backports to supported kernel versions.

Official resources

2026-05-27