Skip to main content

Linux EUVDEUVD-2026-18786

| CVE-2026-31402 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-03 Linux GHSA-7xf5-3qmr-j4c6
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.8 (CRITICAL)
Patch available
Apr 16, 2026 - 05:29 EUVD
8afb437ea1f70cacb4bbdf11771fb5c4d720b965,5133b61aaf437e5f25b1b396b14242a6bb0508e2,0f0e2a54a31a7f9ad2915db99156114872317388
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18786
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).

When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.

This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.

We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.

Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.

AnalysisAI

Heap overflow in Linux kernel NFSv4.0 LOCK replay cache allows unauthenticated remote attackers to corrupt kernel memory by triggering a denial-of-service or potential code execution. The vulnerability exists in nfsd4_encode_operation() which copies encoded LOCK responses up to 1024 bytes into a fixed 112-byte inline buffer without bounds checking, resulting in up to 944 bytes of slab-out-of-bounds writes. Exploitation requires two cooperating NFSv4.0 clients but no special privileges; upstream fixes are available across multiple stable kernel branches.

Technical ContextAI

The Linux kernel NFSv4.0 server implementation maintains a replay cache (rp_ibuf) to store encoded responses for idempotency. The replay buffer was sized at NFSD4_REPLAY_ISIZE (112 bytes) based on typical OPEN response sizes. However, LOCK denied responses include a variable-length conflicting lock owner field that can reach NFS4_OPAQUE_LIMIT (1024 bytes). The vulnerability is a classic heap buffer overflow (CWE-122 / CWE-131) where nfsd4_encode_operation() calls read_bytes_from_xdr_buf() to copy the full encoded response without verifying it fits within rp_ibuf. This affects all Linux kernel versions with NFSv4.0 server support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). The fix implemented across stable branches adds a length check before copying, setting rp_buflen to 0 to skip replay caching when the response exceeds the buffer size while still caching the status.

RemediationAI

Apply the upstream kernel fix by upgrading to a patched stable kernel version containing one of the six referenced commits. Check your distribution's kernel advisory for the specific stable version incorporating the fix-most major distributions released patched kernels across their supported branches following upstream integration. Users unable to immediately upgrade should disable NFSv4.0 server support by setting CONFIG_NFSD_V4=n during kernel compilation, or restrict NFSv4.0 client connections via firewall/network policies to prevent trigger conditions (specifically blocking NFS clients from setting locks with large owner strings exceeding practical limits). Monitor your distribution's security advisories at https://git.kernel.org/stable/ for stable kernel releases incorporating the heap buffer overflow fix.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy