Skip to main content

Linux Kernel NFS CVE-2026-43470

| EUVDEUVD-2026-28776 MEDIUM
2026-05-08 Linux GHSA-jprv-4f6g-4wvm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 14:08 vuln.today
CVSS changed
May 21, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfs: return EISDIR on nfs3_proc_create if d_alias is a dir

If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative.

This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open.

This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection).

While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops.

AnalysisAI

Kernel oops in the Linux NFSv3 client's create path exposes systems to local denial of service when concurrent directory and file creation races produce a directory alias via d_splice_alias. The affected code in nfs3_proc_create silently discards the alias without returning an error, leaving the original dentry in a negative (unresolved) state; a subsequent call from nfs_atomic_open_v23/finish_open passes this negative dentry to do_dentry_open, triggering the oops. No public exploit identified at time of analysis, and EPSS at 0.02% (5th percentile) signals very low probability of exploitation in the wild.

Technical ContextAI

The vulnerability resides in the NFS (Network File System) client subsystem of the Linux kernel, specifically in nfs3_proc_create and the call chain through nfs3_do_create → nfs_add_or_obtain → d_splice_alias. The function d_splice_alias is designed to return either a directory alias dentry or NULL; when it returns a directory alias, the pre-fix code failed to detect this condition and returned without propagating an error. This left the caller's original dentry pointer in a 'negative' state - meaning it has no associated inode. The subsequent open path in nfs_atomic_open_v23 passes this negative dentry to finish_open and ultimately do_dentry_open, which does not handle negative dentries gracefully and produces a kernel oops (effectively a NULL dereference or invalid inode access). The fix introduces an explicit d_is_dir() check after d_splice_alias to detect directory aliases and return EISDIR, preventing file operations from proceeding on a directory inode. No CWE is formally assigned; the closest classifications are CWE-476 (NULL Pointer Dereference) and CWE-755 (Improper Handling of Exceptional Conditions). CPE: cpe:2.3:a:linux:linux.

RemediationAI

Upgrade the Linux kernel to a fixed version: 6.12.78, 6.18.19, 6.19.9, or 7.0, as confirmed by EUVD version data and the upstream fix commits at https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5 and the three related stable-tree commits. Distribution maintainers typically backport these fixes to their kernel packages; verify with your vendor's security advisory channel. Where immediate patching is not feasible, restrict local user write access to NFS-mounted filesystems to prevent the concurrent create/remove race from being triggered; note that this may impact legitimate workloads requiring shared NFS write access. Additionally, enforcing O_EXCL on file creation in application code operating over NFS can prevent the specific dentry race condition, though this is an application-level control and does not fix the kernel bug. Enterprise environments with kpatch or kGraft live-patching infrastructure may be able to apply the fix without a reboot.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy