CVE-2025-22026 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

nfsd: don't ignore the return code of svc_proc_register()

Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later.

Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs.

svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability identified as CVE-2025-22026 represents a critical oversight in the Linux kernel's Network File System Daemon (nfsd) implementation that exposes systems to potential operational instability and security risks. This flaw specifically affects the nfsd_proc_stat_init() function which is responsible for initializing the NFS daemon's statistics interface within the kernel's virtual filesystem. The issue stems from the function's failure to properly handle error conditions returned by the svc_proc_register() API call, creating a scenario where the kernel silently ignores critical failure states during the creation of proc filesystem entries.

The technical root cause of this vulnerability lies in the improper error handling within the nfsd subsystem's initialization process. When svc_proc_register() encounters failures during the creation of proc filesystem entries, it returns specific error codes indicating either memory allocation failures or duplicate entry conditions. However, the nfsd_proc_stat_init() function discards these return values and continues execution as if no errors occurred. This behavior creates a dangerous state where the kernel maintains references to non-existent or improperly initialized entries, leading to subsequent WARN messages when the system attempts to clean up these invalid entries during shutdown or cleanup operations. The vulnerability manifests as a potential denial of service condition where kernel warnings accumulate and may eventually impact system stability.

The operational impact of this vulnerability extends beyond simple warning messages to potentially compromise system reliability and resource management within kernel space. When the svc_proc_register() function fails due to memory allocation constraints or duplicate entry conditions, the kernel's failure to properly propagate these errors creates a cascade of issues that can affect the entire NFS daemon functionality. The specific return code handling issue means that if the dentry allocation fails or an identical entry already exists, the system continues operating with incomplete or corrupted NFS statistics interfaces. This can result in inconsistent system behavior, difficulty in monitoring NFS performance, and potential resource leaks that may accumulate over time. The vulnerability particularly affects systems running NFS servers where the statistics interface is actively used for monitoring and administrative purposes.

The fix implemented for CVE-2025-22026 addresses the core error handling deficiency by ensuring that nfsd_proc_stat_init() properly returns the same type of pointer as svc_proc_register() and that nfsd_net_init() correctly checks for and handles these error conditions. This remediation aligns with established security practices for kernel development and follows the principle of proper error propagation. The solution specifically handles the case where svc_proc_register() fails due to duplicate entries by returning -ENOMEM, which allows the calling function to properly terminate the nfsd_net construction process rather than continuing with an invalid state. This approach follows the ATT&CK framework's concept of maintaining system integrity by preventing the propagation of invalid states and ensures that error conditions are properly communicated up the call stack. The fix also aligns with CWE-252, which addresses the weakness of improper handling of exceptional conditions, and CWE-398, which covers the weakness of code that is not written or maintained properly. The implementation demonstrates proper defensive programming practices by ensuring that all error conditions are explicitly checked and handled, preventing the system from entering potentially unstable states. This vulnerability resolution reinforces the importance of robust error handling in kernel space, where the failure to properly manage resources can lead to system instability and security implications that affect the entire operating system's reliability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!