CVE-2024-26629: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn't exist, it returns success. The other case shows an so_count of '2' and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on '2' is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn't take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious '2'.
AI Analysis
Technical Summary
CVE-2024-26629 is a vulnerability in the Linux kernel's NFS server daemon (nfsd) related to the handling of lock owners in NFSv4. Specifically, the issue arises in the function nfsd4_release_lockowner(), which incorrectly tests the so_count variable to determine if locks are held. The so_count test can transiently return a false positive, causing the function to return the NFS4ERR_LOCKS_HELD error even when no locks are actually held. This behavior violates the NFS protocol and leads to incorrect client-server interactions. The Linux NFS client ignores this error because it never sends RELEASE_LOCKOWNER requests without first releasing all locks, assuming the lock owner was released. However, if the server fails to release the lock owner due to this false positive, the client may reuse the same lock owner identifier with a lock_seqid of zero, which the server rejects with NFS4ERR_BAD_SEQID. The root cause is that so_count aggregates multiple counts, including transient references, making the test unreliable. The patch reverts to using check_for_locks(), modified to use find_any_file_locked() which avoids sleeping and reference count issues, ensuring accurate detection of held locks without false positives. This fix restores correct protocol behavior and prevents erroneous error returns and subsequent client-server lock sequence mismatches. The vulnerability affects multiple Linux kernel versions as listed, and no known exploits are reported in the wild as of publication.
Potential Impact
For European organizations relying on Linux-based NFS servers, this vulnerability can cause incorrect lock management behavior leading to protocol violations and potential service disruptions. Applications depending on NFSv4 for file locking may experience unexpected errors such as NFS4ERR_LOCKS_HELD or NFS4ERR_BAD_SEQID, resulting in failed or delayed file operations. This can degrade performance, cause application errors, or lead to data access issues in environments with heavy NFS lock usage, such as enterprise file sharing, virtualization, or clustered storage systems. While this vulnerability does not directly enable remote code execution or privilege escalation, the resulting instability and protocol errors can impact availability and reliability of critical file services. Organizations with automated systems or workflows dependent on NFS locking semantics may face operational disruptions. Given the widespread use of Linux servers in European data centers and enterprises, especially in sectors like finance, manufacturing, and public administration, the impact could be significant if unpatched. However, the absence of known exploits and the requirement for specific NFSv4 lock owner interactions reduce the immediate risk of widespread exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes CVE-2024-26629. Specifically, they should apply the kernel updates from their Linux distribution vendors that incorporate the corrected nfsd4_release_lockowner() logic using the improved check_for_locks() method. For environments where immediate patching is not feasible, administrators should audit NFSv4 lock usage patterns and monitor for unusual NFS4ERR_LOCKS_HELD or NFS4ERR_BAD_SEQID errors in logs, which may indicate the presence of this issue. It is advisable to test critical applications for NFS locking behavior under current kernel versions to identify potential disruptions. Additionally, organizations should ensure that their NFS clients and servers are configured to handle lock owner identifiers correctly and avoid reuse patterns that could trigger the error. Network segmentation and limiting NFS access to trusted clients can reduce exposure. Finally, maintain regular backups and implement robust monitoring of NFS server health and performance to quickly detect and respond to any anomalies related to lock management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26629: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn't exist, it returns success. The other case shows an so_count of '2' and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on '2' is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn't take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious '2'.
AI-Powered Analysis
Technical Analysis
CVE-2024-26629 is a vulnerability in the Linux kernel's NFS server daemon (nfsd) related to the handling of lock owners in NFSv4. Specifically, the issue arises in the function nfsd4_release_lockowner(), which incorrectly tests the so_count variable to determine if locks are held. The so_count test can transiently return a false positive, causing the function to return the NFS4ERR_LOCKS_HELD error even when no locks are actually held. This behavior violates the NFS protocol and leads to incorrect client-server interactions. The Linux NFS client ignores this error because it never sends RELEASE_LOCKOWNER requests without first releasing all locks, assuming the lock owner was released. However, if the server fails to release the lock owner due to this false positive, the client may reuse the same lock owner identifier with a lock_seqid of zero, which the server rejects with NFS4ERR_BAD_SEQID. The root cause is that so_count aggregates multiple counts, including transient references, making the test unreliable. The patch reverts to using check_for_locks(), modified to use find_any_file_locked() which avoids sleeping and reference count issues, ensuring accurate detection of held locks without false positives. This fix restores correct protocol behavior and prevents erroneous error returns and subsequent client-server lock sequence mismatches. The vulnerability affects multiple Linux kernel versions as listed, and no known exploits are reported in the wild as of publication.
Potential Impact
For European organizations relying on Linux-based NFS servers, this vulnerability can cause incorrect lock management behavior leading to protocol violations and potential service disruptions. Applications depending on NFSv4 for file locking may experience unexpected errors such as NFS4ERR_LOCKS_HELD or NFS4ERR_BAD_SEQID, resulting in failed or delayed file operations. This can degrade performance, cause application errors, or lead to data access issues in environments with heavy NFS lock usage, such as enterprise file sharing, virtualization, or clustered storage systems. While this vulnerability does not directly enable remote code execution or privilege escalation, the resulting instability and protocol errors can impact availability and reliability of critical file services. Organizations with automated systems or workflows dependent on NFS locking semantics may face operational disruptions. Given the widespread use of Linux servers in European data centers and enterprises, especially in sectors like finance, manufacturing, and public administration, the impact could be significant if unpatched. However, the absence of known exploits and the requirement for specific NFSv4 lock owner interactions reduce the immediate risk of widespread exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that fixes CVE-2024-26629. Specifically, they should apply the kernel updates from their Linux distribution vendors that incorporate the corrected nfsd4_release_lockowner() logic using the improved check_for_locks() method. For environments where immediate patching is not feasible, administrators should audit NFSv4 lock usage patterns and monitor for unusual NFS4ERR_LOCKS_HELD or NFS4ERR_BAD_SEQID errors in logs, which may indicate the presence of this issue. It is advisable to test critical applications for NFS locking behavior under current kernel versions to identify potential disruptions. Additionally, organizations should ensure that their NFS clients and servers are configured to handle lock owner identifiers correctly and avoid reuse patterns that could trigger the error. Network segmentation and limiting NFS access to trusted clients can reduce exposure. Finally, maintain regular backups and implement robust monitoring of NFS server health and performance to quickly detect and respond to any anomalies related to lock management.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.135Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd9ed
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:24:37 AM
Last updated: 8/16/2025, 3:35:11 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.