LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26629: nfsd: fix RELEASE_LOCKOWNER

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn't exist, it returns success. The other case shows an so_count of '2' and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on '2' is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn't take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious '2'.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This Linux kernel NFS server bug can incorrectly reject a client request to release a lock owner. The result is not described as code execution; the cited impact is incorrect NFS client/server behavior, including later lock sequence errors. Business urgency depends on whether affected Linux kernels provide NFSv4 service.

Executive priority

Handle through normal kernel and appliance patch governance, with higher priority for production NFSv4 servers that support shared files, databases, engineering workloads, or industrial systems. No source provided evidence of active exploitation or emergency patching criteria.

Technical view

The flaw is in Linux nfsd RELEASE_LOCKOWNER handling. A transient reference count check can falsely report locks held, returning NFS4ERR_LOCKS_HELD. Linux clients may then reuse the lock owner identifier, while the server expects a higher lock_seqid and returns NFS4ERR_BAD_SEQID.

Likely exposure

Exposure is most plausible on systems running Linux kernel nfsd as an NFSv4 server on affected kernel versions or vendor products that embed affected kernels. The source bundle does not prove exposure for systems that only use NFS as clients.

Exploitation context

The bundle shows no CISA KEV listing and no cited active exploitation. The described failure mode is protocol correctness and lock-state handling, not a documented remote code execution path. Evidence is incomplete on attacker prerequisites and real-world exploitability.

Researcher notes

The affected-version data is source-derived but complex, spanning stable kernel branches and commits. Treat distribution backports as authoritative. The root cause is replacing an unreliable so_count test with non-sleeping check_for_locks() using find_any_file_locked().

Mitigation direction

  • Identify Linux systems serving NFSv4 with kernel nfsd enabled.
  • Upgrade to vendor-supported kernels containing the referenced stable fixes.
  • Check appliance advisories, including Siemens guidance where relevant.
  • Prioritize storage servers supporting lock-sensitive workloads.
  • If patch timing is unclear, request vendor confirmation for CVE-2024-26629.

Validation and detection

  • Inventory kernels on Linux NFSv4 servers and compare against vendor fixed releases.
  • Review NFS server logs for NFS4ERR_LOCKS_HELD and NFS4ERR_BAD_SEQID patterns.
  • Confirm change-control records show the stable kernel fix was applied.
  • Validate affected appliances against their vendor security advisory.
  • Test NFS locking workflows after patching in a staging environment.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26629 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxef481b262bba4f454351eec43f024fec942c2d4c, 3097f38e91266c7132c3fdb7e778fac858c00670, e2fc17fcc503cfca57b5d1dd3b646ca7eebead97, ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b, ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b, ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b, ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b, fea1d0940301378206955264a01778700fc9c16f, 2ec65dc6635d1976bd1dbf2640ff7f810b2f6dd1, a2235bc65ade40982c3d09025cdd34bc539d6a69, ba747abfca27e23c42ded3912c87b70d7e16b6ab, e8020d96dd5b2dcc1f6a8ee4f87a53a373002cd5, 4.19.246, 5.10.120, 5.15.45, 4.9.317, 4.14.282, 5.4.197, 5.17.13, 5.18.2unaffected
LinuxLinux5.19, 0, 4.19.306, 5.10.220, 5.15.154, 6.1.79, 6.6.15, 6.7.3, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.