Vulnerability Database / CVE-2026-22989 CVE-2026-22989: Linux Kernel NFSD DoS Vulnerability CVE-2026-22989 is a denial of service vulnerability in the Linux kernel's NFSD component that causes server crashes when unlocking filesystems. This article covers the technical details, affected systems, and mitigation strategies. Published : January 30, 2026 CVE-2026-22989 Overview A Use After Free vulnerability has been identified in the Linux kernel's NFS daemon (nfsd) subsystem. The flaw exists in the unlock_filesystem administrative interface, where attempting to unlock the filesystem when the nfsd server is not running results in a server crash. This occurs because nfsd4_revoke_states() accesses state structures (such as conf_id_hashtbl ) that have already been freed during server shutdown. Critical Impact An attacker or administrator with access to the nfsd administrative interface can crash the server by invoking filesystem unlock operations when the NFS daemon is not running, leading to denial of service. Affected Products Linux kernel (nfsd module) Systems running NFS server with administrative interfaces enabled Linux distributions using affected kernel versions Discovery Timeline 2026-01-23 - CVE CVE-2026-22989 published to NVD 2026-01-26 - Last updated in NVD database Technical Details for CVE-2026-22989 Vulnerability Analysis This vulnerability represents a classic Use After Free condition in kernel-level code. The issue stems from the NFS daemon's administrative interface not properly validating the server's runtime state before attempting to access internal data structures. When an administrator attempts to unlock a filesystem via the administrative interface while nfsd is not running, the code path through nfsd4_revoke_states() attempts to access memory structures like conf_id_hashtbl that have already been deallocated during server shutdown. This results in accessing freed memory, causing a kernel crash. The call trace from the kernel crash reveals the execution flow: nfsd4_revoke_states+0x1b4/0x898 accesses freed state structures write_unlock_fs+0x258/0x440 invokes the revoke operation nfsctl_transaction_write+0xb0/0x120 processes the administrative command The crash occurs on ARM64 systems through the standard syscall path Root Cause The root cause is a missing state validation check in the write_unlock_fs() function. The code does not verify that the nfsd server is actually running before proceeding to call nfsd4_revoke_states() . Since the state hashtables and related data structures are freed when the server shuts down, any subsequent access to these structures results in a Use After Free condition. The fix requires acquiring nfsd_mutex and verifying the server is still operational before accessing any state structures. Attack Vector The attack vector requires administrative access to the nfsd control interface, typically through the /proc/fs/nfsd/ or sysfs interfaces. An attacker with sufficient privileges to interact with these interfaces can trigger the vulnerability by: Ensuring the nfsd server is stopped or has been shut down Issuing a filesystem unlock command through the administrative interface The kernel attempts to access freed memory, causing a crash The vulnerability is exploitable locally by users with appropriate administrative privileges on the NFS server. The primary impact is denial of service through kernel crash rather than privilege escalation or code execution. Detection Methods for CVE-2026-22989 Indicators of Compromise Kernel crash logs containing nfsd4_revoke_states in the call trace System instability or unexpected reboots on systems running NFS servers Kernel panic messages referencing the nfsd module during filesystem unlock operations Detection Strategies Monitor kernel logs for crash signatures involving nfsd4_revoke_states+0x1b4/0x898 or similar offsets Implement audit logging on nfsd administrative interface access ( /proc/fs/nfsd/ operations) Deploy kernel crash dump analysis to identify exploitation attempts Use SentinelOne Singularity Platform for real-time kernel-level monitoring and anomaly detection Monitoring Recommendations Enable kernel crash dump collection (kdump) to capture forensic data from crashes Monitor sysfs and procfs writes to nfsd control files Alert on unexpected nfsd service state transitions Track administrative commands executed against NFS daemon interfaces How to Mitigate CVE-2026-22989 Immediate Actions Required Apply the kernel patches from the official Linux kernel stable tree immediately Restrict access to nfsd administrative interfaces to only trusted administrators Consider implementing SELinux or AppArmor policies to limit nfsd control interface access Monitor systems for crash events until patches are deployed Patch Information The vulnerability has been addressed in the Linux kernel through commits that add proper mutex locking and server state validation. The fix ensures that nfsd_mutex is acquired and the server's running st