CVE-2009-3726

Linux Kernel < 2.6.31 - Denial of Service via NFSv4 Server Response with Incorrect File Attributes

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3726. PoCs published by Simon Vallet.

AI-analyzed exploit summary This PoC exploits a NULL-pointer dereference in the Linux kernel's NFSv4 implementation (nfs4_proc_lock) by executing a specific file lock operation, leading to a kernel panic (DoS). The exploit triggers the vulnerability by calling fcntl with F_SETLK on /proc/self/exe.

Description

The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Simon Vallet · cdoslinux
https://www.exploit-db.com/exploits/10202

This PoC exploits a NULL-pointer dereference in the Linux kernel's NFSv4 implementation (nfs4_proc_lock) by executing a specific file lock operation, leading to a kernel panic (DoS). The exploit triggers the vulnerability by calling fcntl with F_SETLK on /proc/self/exe.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Linux kernel 2.6.18-164.2.1.el5 (NFSv4)
No auth needed
Prerequisites: NFSv4-mounted directory · ability to execute a binary on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=529227
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9734
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-864-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38794
Various Sources mailing-list x_refsource_mlist
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36936
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:329
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6636
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37909
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0474.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1670.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:051
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38834
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40218
Various Sources mailing-list x_refsource_mlist
http://www.spinics.net/linux/lists/linux-nfs/msg03357.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/11/05/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/11/05/4
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2005
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0528

Scores

EPSS 0.1200
EPSS Percentile 95.6%

Details

CWE
CWE-399
Status published
Products (46)
linux/linux_kernel 2.2.27
linux/linux_kernel 2.4.1
linux/linux_kernel 2.4.2
linux/linux_kernel 2.4.3
linux/linux_kernel 2.4.4
linux/linux_kernel 2.4.5
linux/linux_kernel 2.4.6
linux/linux_kernel 2.4.7
linux/linux_kernel 2.4.8
linux/linux_kernel 2.4.9
... and 36 more
Published Nov 09, 2009
Tracked Since Feb 18, 2026