CVE-2026-31437 - Vulnerability Details

- netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

Description

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, netfs_unbuffered_write() contains an unconditional call to stream->prepare_write when a write subrequest is marked NETFS_SREQ_NEED_RETRY. Filesystems such as 9P do not implement prepare_write, leaving the function pointer NULL. When get_user_pages() fails with –EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189, causing a kernel OOPS. This indicates a classic null pointer dereference weakness (CWE‑476) and can lead to an unprivileged kernel crash, providing a denial‑of‑service and a potential escalation surface if the fault is leveraged further.

Affected Systems

All Linux kernel versions prior to the commit that introduces the NULL check are vulnerable. The issue affects any system that mounts a netfs implementation that does not provide a prepare_write function, notably the 9P filesystem. The vulnerability is present in every pre‑patch kernel revision and is fixed in kernels that incorporate the referenced commit URLs.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity, while the EPSS score of < 1 % suggests a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a local attacker with write access to a netfs file can trigger the crash by causing a write failure and retry. The risk is therefore a local denial‑of‑service that could be exploited to destabilize the system or, in some circumstances, enable privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`72d08d2839649d1c5efbe375751f4473fa4486af`	affected	< a4d1b4ba9754bac3efebd06f583a44a7af52c0ab
`0c29f6d63122a0168d67cb8ecde5b4cf7fe4acb0`	affected	< 7a5482f5ce891decbf36f2e6fab1e9fc4a76a684
`a0b4c7a49137ed21279f354eb59f49ddae8dffc2`	affected	< e9075e420a1eb3b52c60f3b95893a55e77419ce8

Linux

unaffected

Version	Status	Constraints
`6.18.17`	affected	< 6.18.21
`6.19.7`	affected	< 6.19.11

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[72d08d2839649d1c5efbe375751f4473fa4486af,a4d1b4ba9754bac3efebd06f583a44a7af52c0ab)`	affected	code_commit	—
`[0c29f6d63122a0168d67cb8ecde5b4cf7fe4acb0,7a5482f5ce891decbf36f2e6fab1e9fc4a76a684)`	affected	code_commit	—
`[a0b4c7a49137ed21279f354eb59f49ddae8dffc2,e9075e420a1eb3b52c60f3b95893a55e77419ce8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.17,6.18.21)`	affected	semver	—
`[6.19.7,6.19.11)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the commit adding a NULL check for stream->prepare_write in netfs_unbuffered_write.
Reboot the system so that the updated kernel and modules are loaded.
If an official patch is not yet available, avoid mounting 9P or other netfs filesystems that lack a prepare_write implementation until a fix is applied.

Generated by OpenCVE AI on April 28, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684
https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab
https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8
https://lore.kernel.org/linux-cve-announce/2026042243-CVE-2026-31437-7cba@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31437
https://www.cve.org/CVERecord?id=CVE-2026-31437

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042243-CVE-2026-31437-7cba@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31437 https://www.cve.org/CVERecord?id=CVE-2026-31437
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.
Title		netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684 https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:53:36.361Z

Updated: 2026-05-11T22:08:41.432Z

Reserved: 2026-03-09T15:48:24.090Z

Link: CVE-2026-31437

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:36.980

Modified: 2026-05-19T22:09:14.920

Link: CVE-2026-31437

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31437 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T08:30:13Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object