CVE-2023-53606 in Linux
Summary
by MITRE • 10/04/2025
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clean up potential nfsd_file refcount leaks in COPY codepath
There are two different flavors of the nfsd4_copy struct. One is embedded in the compound and is used directly in synchronous copies. The other is dynamically allocated, refcounted and tracked in the client struture. For the embedded one, the cleanup just involves releasing any nfsd_files held on its behalf. For the async one, the cleanup is a bit more involved, and we need to dequeue it from lists, unhash it, etc.
There is at least one potential refcount leak in this code now. If the kthread_create call fails, then both the src and dst nfsd_files in the original nfsd4_copy object are leaked.
The cleanup in this codepath is also sort of weird. In the async copy case, we'll have up to four nfsd_file references (src and dst for both flavors of copy structure). They are both put at the end of nfsd4_do_async_copy, even though the ones held on behalf of the embedded one outlive that structure.
Change it so that we always clean up the nfsd_file refs held by the embedded copy structure before nfsd4_copy returns. Rework cleanup_async_copy to handle both inter and intra copies. Eliminate nfsd4_cleanup_intra_ssc since it now becomes a no-op.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/28/2026
The vulnerability described in CVE-2023-53606 represents a critical reference counting issue within the Linux kernel's Network File System Daemon (nfsd) implementation, specifically affecting the nfsd4_copy functionality. This flaw exists in the handling of asynchronous file copy operations between NFSv4 servers, where improper cleanup of reference-counted resources can lead to memory leaks and potential system instability. The vulnerability manifests when the kernel attempts to create kernel threads for asynchronous copy operations, and the kthread_create function fails, resulting in resource leaks that persist beyond the normal execution flow. The issue stems from the dual nature of the nfsd4_copy structure, which exists in both embedded and dynamically allocated forms, each requiring different cleanup procedures. When an asynchronous copy operation fails during thread creation, the source and destination nfsd_file references associated with the original nfsd4_copy object are not properly released, creating a memory leak that can accumulate over time and potentially lead to system resource exhaustion.
The technical implementation flaw lies in the improper synchronization and cleanup of reference-counted nfsd_file objects within the nfsd subsystem. When the kthread_create call fails, the code path does not properly handle the cleanup of the embedded nfsd4_copy structure's references, leading to a reference count leak that can cause the nfsd_file objects to remain in memory indefinitely. The cleanup logic becomes particularly complex when dealing with asynchronous operations that may involve up to four nfsd_file references - two for each of the embedded and dynamically allocated copy structures. The original implementation's approach of deferring cleanup until the end of nfsd4_do_async_copy is problematic because it fails to account for the fact that embedded structure references may outlive their containing object, creating a mismatch between reference counting and object lifetime management. This design flaw directly violates the principle of proper resource management where resources must be released when they are no longer needed, regardless of execution flow.
The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system stability and performance in NFS server environments. When multiple asynchronous copy operations fail during thread creation, the accumulated reference leaks can lead to progressive memory consumption that may eventually cause system slowdowns, resource exhaustion, or even system crashes in extreme cases. The vulnerability is particularly concerning in high-throughput NFS environments where many concurrent copy operations occur, as the cumulative effect of these leaks can rapidly degrade system performance. Additionally, the improper cleanup can lead to inconsistent file system states and potential data integrity issues, as the leaked references may prevent proper file handle release and cleanup. The vulnerability affects systems running Linux kernel versions that include the affected nfsd implementation, making it relevant to enterprise storage infrastructure, cloud computing environments, and any system relying on NFSv4 file sharing services.
Mitigation strategies for CVE-2023-53606 require immediate kernel updates to address the reference counting implementation flaw. System administrators should prioritize patching affected Linux distributions with the corrected nfsd implementation that properly handles cleanup of embedded nfsd4_copy structures before returning from the copy operation. The fix involves restructuring the cleanup logic to ensure that nfsd_file references held by embedded copy structures are always cleaned up before the nfsd4_copy object itself is released, while reworking the cleanup_async_copy function to handle both inter-server and intra-server copy operations uniformly. Organizations should also implement monitoring for unusual memory consumption patterns in NFS server environments and consider implementing resource limits on NFS operations to prevent potential denial-of-service scenarios. The fix aligns with established security practices for reference counting and resource management, addressing the underlying CWE-404 issue of improper resource release and the ATT&CK technique of resource exhaustion through memory leaks. Regular system audits should verify that NFS services are running patched kernel versions and that appropriate logging is enabled to detect potential resource leak conditions.