Skip to main content

Linux Kernel CVE-2026-31438

| EUVDEUVD-2026-24764 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 00:30 vuln.today
CVSS changed
May 19, 2026 - 22:22 NVD
5.5 (MEDIUM)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24764
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

When a process crashes and the kernel writes a core dump to a 9P filesystem, __kernel_write() creates an ITER_KVEC iterator. This iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types, hitting the BUG() for any other type.

Fix this by adding netfs_limit_kvec() following the same pattern as netfs_limit_bvec(), since both kvec and bvec are simple segment arrays with pointer and length fields. Dispatch it from netfs_limit_iter() when the iterator type is ITER_KVEC.

AnalysisAI

Kernel panic in the Linux netfs subsystem's netfs_limit_iter() function crashes systems when a process writes a core dump to a 9P-mounted filesystem. The function handles only ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY iterator types, triggering a hard BUG() when __kernel_write() supplies an ITER_KVEC iterator via netfs_unbuffered_write(), producing a local denial of service via kernel panic. No public exploit code exists and no active exploitation has been identified; this is a no public exploit identified at time of analysis scenario with EPSS at 0.02% (5th percentile), indicating minimal widespread exploitation interest.

Technical ContextAI

The netfs (Network Filesystem) abstraction layer in the Linux kernel provides a unified write path used by 9P and other network-backed filesystems. netfs_unbuffered_write() calls netfs_limit_iter() to constrain iterator data to a given size. The function contained a switch/dispatch that handled ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY but fell through to an unconditional BUG() macro for all other iterator types. When the kernel's core dump handler invokes __kernel_write() against a 9P-mounted path, it constructs an ITER_KVEC iterator - a simple segment array of (pointer, length) pairs structurally identical to ITER_BVEC - for which no handler existed. CWE-476 (NULL Pointer Dereference) is the assigned weakness class, though the root cause is more precisely an unhandled code path triggering BUG(); the two signals are consistent with a missing-case assertion failure that crashes the kernel. Affected CPEs confirm all Linux kernel versions including release candidates for 7.0 (RC1 through RC6) prior to the upstream fix commits.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 6.12.80, 6.18.21, 6.19.11, or 7.0, as confirmed by EUVD affected-versions data. The upstream fix commits are available at https://git.kernel.org/stable/c/00d6df7115f6972370974212de9088087820802e, https://git.kernel.org/stable/c/18c2e20b42dd21db599e42d05ddaeeb647b2bb6d, https://git.kernel.org/stable/c/4bc2d72c7695cedf6d4e1a558924903c2b28a78e, and https://git.kernel.org/stable/c/67e467a11f62ff64ad219dc6aa5459e132c79d14, targeting different stable series. For systems that cannot be patched immediately, a compensating control is to redirect core dump output away from 9P-mounted filesystems by modifying /proc/sys/kernel/core_pattern to write to a local ext4/xfs path instead - this eliminates the trigger path with no functional trade-off for most workloads. Alternatively, disabling core dumps entirely via ulimit -c 0 or systemd's DefaultLimitCORE=0 removes the trigger at the cost of losing crash diagnostics. Distribution-specific kernel updates from Red Hat, Ubuntu, SUSE, and Debian should be monitored for SLA-bound delivery of these backports.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy