How is CVE-2026-53689 exploited?

Network reachability (required): The vulnerable code path is reached when the client connects to a remote NFS server, so the attacker must be able to present a reachable, crafted server over the network. Authentication (not-required): No credentials are needed; the overflow occurs during the initial connection handshake before any authentication exchange. Victim interaction (required): A user or process on the target host must initiate a connection to the attacker-controlled NFS server, making this a social-engineering or configuration-manipulation vector. Attack complexity (info): Exploitation is rated AC:H, meaning the attacker depends on environmental factors outside their direct control, such as memory layout or timing, to reliably trigger the overflow.

What is the impact of CVE-2026-53689?

An attacker who triggers the overflow can read memory from the connecting process, exposing secrets, tokens, or file data held in that process. The same memory corruption can allow the attacker to overwrite in-process data structures, tampering with file content or application state in the connecting client. Availability impact is rated low, meaning the connecting process may crash or become unstable, though a full denial of service is not guaranteed.

Back to search

HIGHCVE-2026-53689Published 2026-06-10Modified 2026-06-10CNA mitre

CVE-2026-53689: libnfs through 6

libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 55c18ea33a83d667f79f0ef209c96895795c729f
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in libnfs through version 6.0.2 allows a crafted NFS server to trigger memory corruption during a client connection. The flaw is reachable over the network, requires no authentication, but does require the victim to initiate a connection to a malicious server. Successful exploitation gives an attacker the ability to read or modify sensitive data in the connecting process. A patched-image rebuild at commit 55c18ea is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle libnfs. No manual scan configuration is needed to pick up this match.

Available

Triage

HarborGuard scores this issue at CVSS 7.1 HIGH using the published v3.1 vector and can weight that score further against each environment's compliance policy, routing alerts to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild pinned to commit 55c18ea33a83d667f79f0ef209c96895795c729f is available on HarborGuard for any image found to carry an affected version of libnfs. For customers who opt into auto-remediation, HarborGuard will rebuild the image, run a regression test, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reached when the client connects to a remote NFS server, so the attacker must be able to present a reachable, crafted server over the network.
AuthenticationNot required
No credentials are needed; the overflow occurs during the initial connection handshake before any authentication exchange.
Victim interactionRequired
A user or process on the target host must initiate a connection to the attacker-controlled NFS server, making this a social-engineering or configuration-manipulation vector.
Attack complexityDetail
Exploitation is rated AC:H, meaning the attacker depends on environmental factors outside their direct control, such as memory layout or timing, to reliably trigger the overflow.

Blast Radius

An attacker who triggers the overflow can read memory from the connecting process, exposing secrets, tokens, or file data held in that process.
The same memory corruption can allow the attacker to overwrite in-process data structures, tampering with file content or application state in the connecting client.
Availability impact is rated low, meaning the connecting process may crash or become unstable, though a full denial of service is not guaranteed.

How HarborGuard Handles This

Available on HarborGuard: any image containing libnfs at a commit prior to 55c18ea33a83d667f79f0ef209c96895795c729f is flagged as affected and a rebuilt image at the patched commit is made available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; for HIGH severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is surfaced in the dashboard with the fix commit cited so engineering teams can act directly. Because the attack requires a client to connect to a hostile NFS server, network policy rules that restrict outbound NFS traffic (TCP and UDP port 2049) to known, trusted server addresses serve as an effective compensating control until the rebuild is applied.

See how HarborGuard automates this

Fix available

55c18ea33a83d667f79f0ef209c96895795c729f

Affected packages

sahlberg / libnfs
< 55c18ea33a83d667f79f0ef209c96895795c729f (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

References

github.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available