CVE-2022-49927: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49927 is a vulnerability discovered in the Linux kernel's NFS4 (Network File System version 4) implementation, disclosed in May 2025. The vulnerability affects various Linux kernel versions from 5.5 up to versions before 5.10.154, from 5.11 up to versions before 5.15.78, and from 5.16 onwards (NVD Database).

The vulnerability occurs in the NFS4 slot allocation mechanism when one of the slot allocations fails. The system does not properly clean up other allocated slots, resulting in memory leaks of unreferenced objects of size 64 bytes in the mount.nfs process. The issue manifests in the nfs4findorcreateslot and nfs4reallocslot_table functions. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD Database, Wiz Database).

The primary impact of this vulnerability is a memory leak in the Linux kernel's NFS4 implementation. When triggered, the system gradually loses available memory due to unreferenced objects remaining allocated but unused, which can potentially lead to system resource exhaustion over time (Wiz Database).

The vulnerability has been patched in various Linux distributions. Debian has fixed the issue in multiple versions: bullseye (5.10.234-1), bookworm (6.1.135-1), trixie (6.12.25-1), and sid (6.12.27-1). Ubuntu has also addressed this vulnerability in their security updates (Debian Tracker).