What is the CVSS score of EUVD-2026-36027?

EUVD-2026-36027 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of libnfs are affected by EUVD-2026-36027?

libnfs versions 6.0.2 and earlier contain a heap memory corruption vulnerability exploitable by malicious NFS servers, creating remote code execution risk for any organization using libnfs client…. A patch is available.

How to fix or mitigate EUVD-2026-36027?

Within 24 hours: Inventory all production and development systems running libnfs 6.0.2 or earlier; identify which have connectivity to external or less-trusted NFS servers; assess criticality of each system. Within 7 days: Implement firewall rules restricting NFS connections to pre-approved trusted servers only; document systems where NFS can be disabled entirely; evaluate alternative NFS client libraries with patched versions. Within 30 days: Establish monitoring for libnfs vendor advisories; create remediation plan for rapid deployment once patches are released; test migration path to patched versions in non-production environments.

libnfs EUVD-2026-36027

| CVE-2026-53689 HIGH

Improper Validation of Specified Quantity in Input (CWE-1284)

2026-06-10 mitre

GHSA-379r-2p3h-m47v

Buffer Overflow Libnfs

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch available

Jun 10, 2026 - 16:01 EUVD

Source Code Evidence Fetched

Jun 10, 2026 - 15:00 vuln.today

Analysis Generated

Jun 10, 2026 - 15:00 vuln.today

DescriptionNVD

libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.

AnalysisAI

Heap memory corruption in libnfs through 6.0.2 allows a malicious NFS server to trigger an integer overflow in the client's XDR string deserializer when a victim connects to it. The flaw resides in libnfs_zdr_string in lib/libnfs-zdr.c, which failed to validate that an attacker-controlled string size fit within the remaining buffer. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Stand up malicious NFS server

Delivery

Lure client to connect

Exploit

Send oversized XDR string length

Execution

Trigger integer overflow in libnfs_zdr_string

Persist

Corrupt client heap memory

Impact

Crash or execute code in libnfs consumer

Access

Stand up malicious NFS server

Delivery

Lure client to connect

Exploit

Send oversized XDR string length

Execution

Trigger integer overflow in libnfs_zdr_string

Persist

Corrupt client heap memory

Impact

Crash or execute code in libnfs consumer

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim client to initiate an NFS connection (UI:R) to an attacker-controlled or compromised NFS server that returns a crafted XDR string with an oversized length field processed by libnfs_zdr_string; the vulnerable code path is reached during normal protocol decoding so no special libnfs build-time option is needed, but the target application must actually use libnfs (not the kernel NFS client) and must reach a server the attacker can influence - outbound TCP/UDP 2049 (or whichever port the rogue server advertises) must be permitted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L scores 7.1 (High) but the real-world risk is meaningfully constrained: exploitation requires the victim to initiate an NFS connection (UI:R) to an attacker-controlled or compromised server, and AC:H signals non-trivial conditions to win the overflow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker stands up a rogue NFS server (or compromises a legitimate one) and lures or coerces a victim - for example a QEMU guest image loader, backup job, or media app linked against libnfs - into mounting or connecting to it. During the initial XDR exchange the server returns a string field with a maliciously large length, triggering the integer overflow in libnfs_zdr_string and corrupting client-side memory to crash the process or potentially achieve code execution in the libnfs-consuming application. …
Remediation	Upstream fix available (commit 55c18ea33a83d667f79f0ef209c96895795c729f); released patched version not independently confirmed, so rebuild libnfs from a tree that includes that commit or wait for a post-6.0.2 tagged release and update bundled copies in dependent software such as QEMU. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production and development systems running libnfs 6.0.2 or earlier; identify which have connectivity to external or less-trusted NFS servers; assess criticality of each system. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36027 vulnerability details – vuln.today

Back

libnfs EUVD-2026-36027

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code