Skip to main content

Linux Kernel CVE-2026-31437

| EUVDEUVD-2026-24762 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 00:30 vuln.today
CVSS changed
May 19, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24762
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.

AnalysisAI

NULL pointer dereference in the Linux kernel's netfs subsystem crashes the kernel when retrying unbuffered writes on filesystems that omit the prepare_write stream operation, such as 9P. A local low-privilege user who can write to such a mounted filesystem and induce a get_user_pages() -EFAULT failure can trigger a kernel panic, causing a denial of service. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible observed exploitation probability; the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected code lives in the Linux kernel's netfs layer at fs/netfs/direct_write.c:189. The netfs subsystem provides a unified I/O framework for network-attached filesystems (e.g., NFS, 9P, Ceph). Filesystems are not required to implement the prepare_write stream operation; the 9P filesystem is explicitly cited as leaving stream->prepare_write NULL. In the retry path of netfs_unbuffered_write(), when a subrequest is flagged NETFS_SREQ_NEED_RETRY after a get_user_pages() -EFAULT, the code unconditionally calls stream->prepare_write() without a NULL guard - a pattern already correctly guarded in write_retry.c but missing here. The root cause class is CWE-476 (NULL Pointer Dereference). Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch is available via the upstream Linux stable tree. Apply the fix commits: 7a5482f5ce891decbf36f2e6fab1e9fc4a76a684 (https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684), a4d1b4ba9754bac3efebd06f583a44a7af52c0ab (https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab), and e9075e420a1eb3b52c60f3b95893a55e77419ce8 (https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8), or upgrade to Linux 6.18.21 or Linux 6.19.11 or later. As a compensating control where patching is not immediately feasible, unmounting or prohibiting 9P (v9fs) filesystem mounts eliminates the specific trigger path - this can be enforced via mount policy or by removing the v9fs kernel module (modprobe -r 9p) on systems that do not require it, with the trade-off of breaking host-guest file sharing in QEMU/KVM or WSL2 environments that depend on virtio-9p or Plan 9. Kernel updates require a system reboot.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy