Skip to main content

Linux Kernel EUVDEUVD-2026-24758

| CVE-2026-31435 HIGH
Out-of-bounds Read (CWE-125)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qfvq-ggc7-jqgw
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:25 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24758
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix read abandonment during retry

Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes).

Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set).

Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.

AnalysisAI

Read retry logic in the Linux kernel's netfs subsystem can incorrectly abandon all remaining subrequests due to an uninitialized or invalid pointer, potentially exposing unintended memory contents or causing denial of service through kernel crashes. Affects Linux kernel 6.12 through early 6.19 and 7.0 development branches. Vendor patches available for 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability. Not listed in CISA KEV. CVSS 8.8 reflects network attack vector with user interaction required.

Technical ContextAI

The vulnerability resides in the Linux kernel's netfs (network filesystem) layer, specifically in the read retry path handling. When a read operation needs to be retried (e.g., due to transient network errors or resource contention), the code iterates through subrequests and may jump to an abandonment routine. The bug stems from improper pointer management: the 'subreq' variable that marks where to begin abandoning subrequests can be uninitialized on first loop iteration or point to already-deleted memory on subsequent passes. This leads to undefined behavior including premature abandonment of valid pending subrequests, potential use-after-free conditions, or kernel oopses. The netfs layer is used by modern network filesystems like CIFS/SMB, NFS with fscache, and Ceph. The fix involves setting subreq to the correct starting point before abandonment and explicitly clearing the pointer after freeing resources to fail fast on invalid access attempts. Git commits 7e57523490cd, 8f2f2bd128a8, and 3e5fd8f53b57 implement the fix across stable branches.

RemediationAI

Upgrade to patched kernel versions: 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or 7.0 stable release for mainline users. Patches available from kernel.org stable tree at commits 7e57523490cd (6.18), 8f2f2bd128a8 (6.19), and 3e5fd8f53b57 (7.0). If immediate patching is not feasible, temporarily disable or restrict use of netfs-backed filesystems (unmount CIFS/SMB shares, disable NFS fscache via '-o fsc' removal, avoid CephFS mounts) to eliminate the attack surface, though this impacts legitimate network filesystem functionality and may disrupt workflows dependent on remote file access. For environments requiring continued netfs use, restrict network filesystem mounts to trusted servers only and implement network segmentation to prevent user-controlled filesystem sources. Monitor kernel logs for netfs-related oopses or abandonment messages as potential exploitation indicators. Note that disabling netfs functionality breaks legitimate distributed storage use cases and is only viable as short-term mitigation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy