Description
In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).

When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.

This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.

We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.

Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Published: 2026-04-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Heap corruption
Action: Patch update
AI Analysis

Impact

The Linux kernel contains a heap overflow in the NFSv4.0 replay cache. A fixed 112‑byte buffer is used to store encoded operation responses, but when a LOCK operation is denied and the response contains a large lock owner string, the kernel copies the entire response into this buffer without performing a bounds check. This results in a slab‑out‑of‑bounds write that can corrupt adjacent heap memory, potentially compromising kernel stability and data integrity.

Affected Systems

The flaw affects Linux kernel builds that include the NFSv4.0 server and employ the replay cache logic. Any Linux system running a kernel version prior to the applied fix, and exposing an NFSv4.0 service, is potentially vulnerable; specific version numbers are not enumerated in the available data.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity risk. The EPSS score of less than 1 % suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no known active exploitation. The attack can be initiated remotely by an unauthenticated attacker using two cooperating NFSv4.0 clients: one client sets a lock with a large owner string and the second client requests a conflicting lock to trigger the denial and overflow.

Generated by OpenCVE AI on April 28, 2026 at 08:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the size check for the NFSv4.0 replay cache
  • If a kernel upgrade is not immediately available, block or restrict external NFSv4.0 traffic with firewall rules or export options
  • Consider disabling the NFSv4.0 service on servers that do not require it
  • Monitor NFS logs for lock denial events and anomalous NFS activity that could indicate attempts to trigger the overflow
  • Apply any backported patches or security errata that contain the replay cache fix before normal operation

Generated by OpenCVE AI on April 28, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.
Title nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:49.450Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:39.283

Modified: 2026-04-27T14:16:36.143

Link: CVE-2026-31402

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31402 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses