Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Linux kernel nfsd proc registration error handling flaw

IdentifiersCVE-2025-22026CWE-252· Unchecked Return Value

CVE-2025-22026 is a Linux kernel vulnerability in the NFS server (nfsd) initialization path. The issue is that nfsd_proc_stat_init() ignored the return value of svc_proc_register() when creating the nfsd procfs statistics entry. If svc_proc_register() failed, the failure was not propagated, leaving initialization in an inconsistent state. Later, when the kernel attempted to remove the proc entry during teardown, it could trigger a WARN because the procfile had never been created successfully. The fix changes nfsd_proc_stat_init() to return the same pointer/error semantics as svc_proc_register() and updates nfsd_net_init() to validate that result and fail nfsd network namespace construction on error. According to the provided content, svc_proc_register() can fail if a dentry cannot be allocated or if an identical dentry already exists; the latter is considered unlikely in this code path and is treated as -ENOMEM.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of this flaw can cause kernel WARN conditions and failure of nfsd network namespace initialization when procfs entry registration fails. The primary impact described in the provided content is service initialization failure or kernel instability/noise in the form of WARNs, rather than direct code execution, privilege escalation, or confidentiality/integrity compromise.

Mitigation

If you can’t patch tonight, do this now.

No specific vendor workaround is provided in the supplied content. Practical mitigations are limited to reducing the likelihood of procfs registration failure, such as maintaining adequate system memory to avoid dentry allocation failures, and avoiding use or startup of the NFS server (nfsd) on affected systems until a fixed kernel is deployed.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the upstream fix for CVE-2025-22026. The fix modifies nfsd_proc_stat_init() to check and propagate the return value from svc_proc_register(), and updates nfsd_net_init() to abort nfsd_net construction if proc registration fails. The specific fixed kernel versions or commit identifiers are not provided in the supplied content.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

3 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-22026
NVD
nvd.nist.gov/vuln/detail/CVE-2025-22026
MITRE CWE · CWE-252
Unchecked Return Value
Patch
git.kernel.org/stable/c/30405b23b4d5e2a596fb756d48119d7293194e75
Patch
git.kernel.org/stable/c/51da899c209a9624e48be416bd30e7ed5cd6c3d8
Patch
git.kernel.org/stable/c/6a59b70fe71ec66c0dd19e2c279c71846a3fb2f0
Patch
git.kernel.org/stable/c/930b64ca0c511521f0abdd1d57ce52b2a6e3476b
Patch
git.kernel.org/stable/c/9d9456185fd5f1891c74354ee297f19538141ead
Patch
git.kernel.org/stable/c/e31957a819e60cf0bc9a49408765e6095fd3d046