Description
In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).

When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.

This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.

We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.

Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Published: 2026-04-03
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Remote heap corruption
Action: Patch
AI Analysis

Impact

The flaw lies in the Linux kernel’s NFSv4.0 replay cache that stores encoded operation responses in a 112‑byte inline buffer. For LOCK operations that are denied due to a conflict, the lock owner field can be up to 1,024 bytes, causing the encoded response to exceed the buffer size. As the kernel copies the response without bounds checking, the overwrite propagates up to 944 bytes beyond the buffer, corrupting adjacent heap memory. This type of memory corruption can lead to a crash or, if the heap is manipulated correctly, arbitrary code execution on the NFS server.

Affected Systems

All Linux kernels that include the nfsd component for NFSv4.0 servers are affected, regardless of distribution, because the vulnerable code path is part of the core kernel NFS implementation. Any system running a kernel that has not applied the fix will be vulnerable.

Risk and Exploitability

The vulnerability permits remote exploitation without authentication, requiring only two NFS clients to coordinate conflicting lock operations. The absence of bounds checks makes the overflow straightforward to trigger, and the overflow can reach almost a kilobyte of heap corruption. While the CVSS score and EPSS are not provided, the potential impact is significant; the flaw is not listed in the CISA KEV catalog, yet it remains a high‑risk issue that could be used to disrupt service or compromise the server if an attacker can exploit the heap corruption.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that corrects the NFSv4.0 replay cache overflow (refer to the commit referenced in the advisory).
  • Ensure all NFSv4.0 servers are restarted after updating the kernel to the patched version.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.
Title nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:16:05.724Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:39.283

Modified: 2026-04-03T16:16:39.283

Link: CVE-2026-31402

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31402 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:24Z

Weaknesses