CVE-2026-31435 - Vulnerability Details

- netfs: Fix read abandonment during retry

Description

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix read abandonment during retry

Under certain circumstances, all the remaining subrequests from a read
request will get abandoned during retry. The abandonment process expects
the 'subreq' variable to be set to the place to start abandonment from, but
it doesn't always have a useful value (it will be uninitialised on the
first pass through the loop and it may point to a deleted subrequest on
later passes).

Fix the first jump to "abandon:" to set subreq to the start of the first
subrequest expected to need retry (which, in this abandonment case, turned
out unexpectedly to no longer have NEED_RETRY set).

Also clear the subreq pointer after discarding superfluous retryable
subrequests to cause an oops if we do try to access it.

Published: 2026-04-22

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the netfs module had an error where read requests could abandon all remaining subrequests during retry. The bug arises due to an uninitialized or dangling subrequest pointer, causing the kernel to trigger an oops and crash when the retry logic attempts to process invalid memory. This results in a denial of service, as the crash can bring the system down or require a reboot.

Affected Systems

All Linux kernel installations that include the netfs subsystem prior to the applied fix are affected, including standard distributions that ship the unpatched kernel. The issue resides in the network file system read handling code, so any system exposed to NFS traffic (clients or servers) is at risk.

Risk and Exploitability

The vulnerability is a critical kernel bug that can lead to a crash, but it lacks a publicly available exploitation reference. EPSS is not available and KEV does not list it, suggesting limited exploitation in the wild. The attack likely requires the ability to trigger a problematic read operation over a network file system, meaning that an attacker with network access to the affected service could potentially force a failure. The risk therefore remains high for exposed systems, and patching should be prioritized.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ee4cdf7ba857a894ad1650d6ab77669cbbfa329e`	affected	< 3e5fd8f53b575ff2188f82071da19c977ca56c41
`ee4cdf7ba857a894ad1650d6ab77669cbbfa329e`	affected	< 8f2f2bd128a8d9edbc1e785760da54ada3df69b7
`ee4cdf7ba857a894ad1650d6ab77669cbbfa329e`	affected	< 7e57523490cd2efb52b1ea97f2e0a74c0fb634cd

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ee4cdf7ba857a894ad1650d6ab77669cbbfa329e,3e5fd8f53b575ff2188f82071da19c977ca56c41)`	affected	code_commit	—
`[ee4cdf7ba857a894ad1650d6ab77669cbbfa329e,8f2f2bd128a8d9edbc1e785760da54ada3df69b7)`	affected	code_commit	—
`[ee4cdf7ba857a894ad1650d6ab77669cbbfa329e,7e57523490cd2efb52b1ea97f2e0a74c0fb634cd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	semver	—
`[0,6.12)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to the patched version where the netfs read abandonment bug is fixed.
Disable or remove netfs-related services (e.g., NFS clients or servers) if an update cannot be applied immediately.
Continuously monitor kernel logs for oops messages to detect any attempted exploitation.

Generated by OpenCVE AI on April 22, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e5fd8f53b575ff2188f82071da19c977ca56c41
https://git.kernel.org/stable/c/7e57523490cd2efb52b1ea97f2e0a74c0fb634cd
https://git.kernel.org/stable/c/8f2f2bd128a8d9edbc1e785760da54ada3df69b7
https://lore.kernel.org/linux-cve-announce/2026042242-CVE-2026-31435-f0f5@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31435
https://www.cve.org/CVERecord?id=CVE-2026-31435

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026042242-CVE-2026-31435-f0f5@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31435 https://www.cve.org/CVERecord?id=CVE-2026-31435
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-457

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes). Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set). Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.
Title		netfs: Fix read abandonment during retry
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e5fd8f53b575ff2188f82071da19c977ca56c41 https://git.kernel.org/stable/c/7e57523490cd2efb52b1ea97f2e0a74c0fb634cd https://git.kernel.org/stable/c/8f2f2bd128a8d9edbc1e785760da54ada3df69b7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:53:35.032Z

Updated: 2026-04-22T13:53:35.032Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31435

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:36.710

Modified: 2026-04-22T14:16:36.710

Link: CVE-2026-31435

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31435 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object