CVE-2026-22980 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished.
This resolves a race which can result in use-after-free.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability described in CVE-2026-22980 represents a critical race condition within the Linux kernel's NFS server implementation, specifically affecting the nfsd component responsible for handling NFS version 4 operations. This flaw exists in the v4_end_grace functionality which manages the grace period termination in NFSv4 servers. The issue stems from improper synchronization mechanisms when handling server shutdown procedures and client tracking operations, creating a scenario where memory access occurs after deallocation. The vulnerability manifests when multiple concurrent operations attempt to modify the v4_end_grace parameter while the NFS server is shutting down, leading to potential memory corruption and system instability. The race condition specifically impacts the reclaim_str_hashtbl data structure, which becomes accessible after being freed, creating a classic use-after-free scenario that could be exploited for privilege escalation or denial of service attacks.
The technical root cause involves a complex deadlock scenario that arises from improper mutex handling during the nfsd4_end_grace() function execution. The nfsd_mutex cannot be held across the nfsd4_end_grace() call because this would create a circular dependency with client_tracking_op->init() operations that may wait for upcall operations to nfsdcltrack. This dependency chain creates a potential deadlock situation where the system becomes unresponsive. The patch addresses this by introducing a new synchronization mechanism that separates the concerns of server shutdown operations from client tracking initialization. The solution implements a client_tracking_active flag protected by nn->client_lock, which ensures that client tracking operations only occur when it's safe to do so, preventing the circular dependency that leads to the race condition. This approach aligns with security best practices for avoiding deadlocks in concurrent systems and follows the principle of minimal lock scope.
The operational impact of this vulnerability extends beyond simple memory corruption, as it affects the fundamental stability and reliability of NFS server implementations in Linux environments. When exploited, the race condition could allow attackers to trigger memory corruption that might lead to system crashes, data loss, or potentially privilege escalation depending on the execution context. The vulnerability is particularly concerning in enterprise environments where NFS servers handle critical data operations and where system uptime is paramount. The patch's implementation introduces a grace_end_forced field that bypasses normal checks for grace period completion, ensuring that the laundromat work queue scheduling occurs correctly even during shutdown procedures. This change prevents the work item from being rescheduled after shutdown has already waited for it, maintaining proper synchronization between the shutdown process and asynchronous operations. The fix demonstrates adherence to security standards such as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and aligns with ATT&CK techniques related to privilege escalation through memory corruption vulnerabilities.
The mitigation strategy implemented in this patch represents a sophisticated approach to handling concurrent access patterns in kernel space operations. By introducing the client_tracking_active flag and proper locking mechanisms, the solution ensures that client tracking operations only execute during safe periods while maintaining the necessary synchronization for server shutdown procedures. The new field structure within nfsd_net ensures proper isolation of the grace period termination logic from the broader server shutdown sequence, preventing the circular dependency that previously caused deadlocks. This approach also addresses the specific requirements of the landromat work queue which operates independently of the main shutdown process, ensuring that proper cleanup occurs without interference. The implementation demonstrates a deep understanding of kernel-level concurrency issues and provides a robust solution that maintains system stability while preserving the intended functionality of NFS server operations. The patch ultimately prevents the use-after-free condition that could be exploited by malicious actors to compromise system integrity, making it a critical security update for all Linux systems running NFS server implementations.