LiveActive security incident?Get immediate response
CVE Record

CVE-2025-22026: nfsd: don't ignore the return code of svc_proc_register()

In the Linux kernel, the following vulnerability has been resolved: nfsd: don't ignore the return code of svc_proc_register() Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2025-22026 is a Linux kernel nfsd flaw where a failed proc file registration was ignored. Under rare failure conditions, the kernel could later warn during cleanup. The public record does not provide CVSS, CWE, confirmed exploitability, or business-impact detail.

Executive priority

Handle through normal kernel patch management unless internal evidence shows nfsd instability. There is no sourced evidence of active exploitation or severe impact, but affected production Linux kernels should still receive vendor fixes.

Technical view

In nfsd_proc_stat_init(), svc_proc_register() returned a value that was ignored. If proc entry creation failed because a dentry could not be allocated or already existed, later removal could trigger a kernel WARN. The fix propagates the pointer-style return and fails nfsd_net construction on registration failure.

Likely exposure

Exposure is limited to Linux systems running affected kernel builds listed in the CVE, especially where nfsd code is present or initialized. The CVE marks default status as unaffected except for the specified affected versions and related ranges.

Exploitation context

The provided sources do not show active exploitation, public exploit code, KEV listing, CVSS scoring, or a remote attack path. The described trigger depends on svc_proc_register() failure conditions during nfsd network namespace construction.

Researcher notes

The record is unusually narrow: it documents a missing error-path check and cleanup WARN, not a complete exploit scenario. Version data includes stable commits and affected kernel series; validate through vendor backport metadata rather than raw upstream version strings alone.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Use distribution vendor advisories to confirm backported kernel fixes.
  • Prioritize hosts that run or initialize nfsd services.
  • Monitor kernel logs for related WARN events until patched.

Validation and detection

  • Inventory Linux kernel versions against the CVE affected list.
  • Check whether nfsd is installed, built, enabled, or initialized.
  • Confirm patched packages include a referenced fix or vendor backport.
  • Review kernel logs for nfsd proc cleanup warnings.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-22026 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux5545496966631cd40ad3aa6450be56d0e5773d10, 73c43bccf25cec9cdec62fc22a513c28a4b28390, 10ece754df9a799131a1cf3197e9d26c04ddec22, 6f8d6ed3426a17f77628cebfb6a6e2c6f2b2496c, 93483ac5fec62cc1de166051b219d953bb5e4ef4, 93483ac5fec62cc1de166051b219d953bb5e4ef4, 93483ac5fec62cc1de166051b219d953bb5e4ef4, 93483ac5fec62cc1de166051b219d953bb5e4ef4, b7b05f98f3f06fea3986b46e5c7fe2928676b02d, 5.10.226, 5.15.166, 6.1.106, 6.6.47, 6.8.10unaffected
LinuxLinux6.9, 0, 5.10.259, 5.15.210, 6.1.164, 6.6.125, 6.12.24, 6.13.12, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.