CVE-2026-23297

In the Linux kernel, the following vulnerability has been resolved:

nfsd: Fix cred ref leak in nfsdnlthreadssetdoit().

syzbot reported memory leak of struct cred. [0]

nfsdnlthreadssetdoit() passes getcurrentcred() to nfsdsvc(), but putcred() is not called after that.

The cred is finally passed down to svcxprtcreate(), which calls getcred() with the cred for struct svc_xprt.

The ownership of the refcount by getcurrentcred() is not transferred to anywhere and is just leaked.

nfsdsvc() is also called from writethreads(), but it does not bump file->f_cred there.

nfsdnlthreadssetdoit() is called from sendmsg() and current->cred does not go away.

Let's use currentcred() in nfsdnlthreadsset_doit().

unreferenced object 0xffff888108b89480 (size 184): comm "syz-executor", pid 5994, jiffies 4294943386 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 369454a7): kmemleakallocrecursive include/linux/kmemleak.h:44 [inline] slabpostallochook mm/slub.c:4958 [inline] slaballocnode mm/slub.c:5263 [inline] kmemcacheallocnoprof+0x412/0x580 mm/slub.c:5270 preparecreds+0x22/0x600 kernel/cred.c:185 copycreds+0x44/0x290 kernel/cred.c:286 copyprocess+0x7a7/0x2870 kernel/fork.c:2086 kernelclone+0xac/0x6e0 kernel/fork.c:2651 __dosysclone+0x7f/0xb0 kernel/fork.c:2792 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xa4/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f