CVE-2025-22026: nfsd: don't ignore the return code of svc_proc_register()
In the Linux kernel, the following vulnerability has been resolved:
nfsd: don't ignore the return code of svc_proc_register()
Currently, nfsd_proc_stat_init() ignores the return value of
svc_proc_register(). If the procfile creation fails, then the kernel
will WARN when it tries to remove the entry later.
Fix nfsd_proc_stat_init() to return the same type of pointer as
svc_proc_register(), and fix up nfsd_net_init() to check that and fail
the nfsd_net construction if it occurs.
svc_proc_register() can fail if the dentry can't be allocated, or if an
identical dentry already exists. The second case is pretty unlikely in
the nfsd_net construction codepath, so if this happens, return -ENOMEM.
Security readout for executives and security teams
Plain-English summary
CVE-2025-22026 is a Linux kernel nfsd flaw where a failed proc file registration was ignored. Under rare failure conditions, the kernel could later warn during cleanup. The public record does not provide CVSS, CWE, confirmed exploitability, or business-impact detail.
Executive priority
Handle through normal kernel patch management unless internal evidence shows nfsd instability. There is no sourced evidence of active exploitation or severe impact, but affected production Linux kernels should still receive vendor fixes.
Technical view
In nfsd_proc_stat_init(), svc_proc_register() returned a value that was ignored. If proc entry creation failed because a dentry could not be allocated or already existed, later removal could trigger a kernel WARN. The fix propagates the pointer-style return and fails nfsd_net construction on registration failure.
Likely exposure
Exposure is limited to Linux systems running affected kernel builds listed in the CVE, especially where nfsd code is present or initialized. The CVE marks default status as unaffected except for the specified affected versions and related ranges.
Exploitation context
The provided sources do not show active exploitation, public exploit code, KEV listing, CVSS scoring, or a remote attack path. The described trigger depends on svc_proc_register() failure conditions during nfsd network namespace construction.
Researcher notes
The record is unusually narrow: it documents a missing error-path check and cleanup WARN, not a complete exploit scenario. Version data includes stable commits and affected kernel series; validate through vendor backport metadata rather than raw upstream version strings alone.
Mitigation direction
Apply Linux kernel updates containing the referenced stable fixes.
Use distribution vendor advisories to confirm backported kernel fixes.
Prioritize hosts that run or initialize nfsd services.
Monitor kernel logs for related WARN events until patched.
Validation and detection
Inventory Linux kernel versions against the CVE affected list.
Check whether nfsd is installed, built, enabled, or initialized.
Confirm patched packages include a referenced fix or vendor backport.
Review kernel logs for nfsd proc cleanup warnings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-22026 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.