In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
CVE-2026-22980 is a use-after-free vulnerability in the Linux kernel's NFSv4 grace period handling mechanism that can be triggered during server shutdown. The vulnerability exists in the v4_end_grace function where concurrent access can lead to memory being accessed after it has been freed, particularly affecting the reclaim_str_hashtbl structure. This affects Linux kernel versions 6.19-rc1 through 6.19-rc4 and potentially earlier versions, with a CVSS score of 7.8 indicating high severity.
Immediate Actions:
1. Identify all Linux servers running kernel versions 6.19-rc1 through 6.19-rc4 using: uname -r
2. Prioritize systems running NFSv4 services (check: systemctl status nfs-server or ps aux | grep nfsd)
3. Implement change control procedures before patching production systems
Patching Guidance:
1. Apply the latest stable kernel patch that includes the v4_end_grace locking fix
2. For RHEL/CentOS: yum update kernel and reboot
3. For Ubuntu/Debian: apt update && apt upgrade linux-image-* and reboot
4. Verify patch application: grep -i 'client_tracking_active' /boot/config-$(uname -r)
Compensating Controls (if immediate patching not possible):
1. Minimize NFS server restarts during business hours
2. Implement monitoring for kernel panic messages related to nfsd
3. Use NFS client-side timeouts to detect server issues quickly
4. Maintain regular backups independent of NFS infrastructure
Detection Rules:
1. Monitor kernel logs for: 'use-after-free', 'nfsd', 'reclaim_str_hashtbl'
2. Alert on unexpected nfsd process terminations
3. Track NFS server restart events and correlate with system issues
4. Monitor for memory corruption indicators in dmesg output
الإجراءات الفورية:
1. تحديد جميع خوادم Linux التي تعمل بإصدارات النواة 6.19-rc1 إلى 6.19-rc4 باستخدام: uname -r
2. إعطاء الأولوية للأنظمة التي تقدم خدمات NFSv4 (تحقق: systemctl status nfs-server أو ps aux | grep nfsd)
3. تطبيق إجراءات التحكم في التغييرات قبل تصحيح الأنظمة الإنتاجية
إرشادات التصحيح:
1. تطبيق أحدث تصحيح نواة مستقرة يتضمن إصلاح قفل v4_end_grace
2. لـ RHEL/CentOS: yum update kernel وإعادة التشغيل
3. لـ Ubuntu/Debian: apt update && apt upgrade linux-image-* وإعادة التشغيل
4. التحقق من تطبيق التصحيح: grep -i 'client_tracking_active' /boot/config-$(uname -r)
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تقليل إعادة تشغيل خادم NFS أثناء ساعات العمل
2. تطبيق المراقبة لرسائل kernel panic المتعلقة بـ nfsd
3. استخدام مهلات انتظار جانب عميل NFS للكشف السريع عن مشاكل الخادم
4. الحفاظ على النسخ الاحتياطية المنتظمة المستقلة عن البنية الأساسية لـ NFS
قواعد الكشف:
1. مراقبة سجلات النواة بحثاً عن: 'use-after-free'، 'nfsd'، 'reclaim_str_hashtbl'
2. التنبيه على إنهاء عملية nfsd غير المتوقع
3. تتبع أحداث إعادة تشغيل خادم NFS والربط بينها والمشاكل النظامية
4. مراقبة مؤشرات تلف الذاكرة في مخرجات dmesg