Description
In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.

Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A kernel assertion bug exists in the 9P filesystem path when the kernel writes a core dump to a 9P filesystem. The core dump routine creates an ITER_KVEC iterator that is not handled by netfs_limit_iter(), causing the kernel to invoke BUG() and panic. The result is a denial of service from a system crash. The flaw involves incorrect handling of iterator types, which corresponds to CWE-476 and CWE-843.

Affected Systems

All Linux kernel builds that include 9P filesystem support and have not yet applied the netfs_limit_kvec patch are affected. This includes all releases prior to the commit that added the patch. No specific version ranges are listed, so any Linux kernel built without the fix is vulnerable.

Risk and Exploitability

The EPSS score of < 1% indicates a very low but nonzero exploitation probability, and the CVSS score of 5.5 reflects moderate severity. The vulnerability is not listed in the CISA KEV catalog. It can be triggered locally when a process crashes on a 9P mount, causing the kernel to panic. Based on the description, it is inferred that a remote attacker would need to invoke privileged code or force a process crash to trigger the bug. No public exploits are known, but the kernel instability could cause a moderate-to-high impact if exploited.

Generated by OpenCVE AI on May 19, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the netfs_limit_kvec patch.
  • Restrict 9P mounts to trusted users and avoid using 9P as a core dump target.
  • Redirect core dumps to a non-9P filesystem or custom handler if an immediate kernel upgrade is not possible.

Generated by OpenCVE AI on May 19, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 19 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 28 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-535

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-535

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators When a process crashes and the kernel writes a core dump to a 9P filesystem, __kernel_write() creates an ITER_KVEC iterator. This iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types, hitting the BUG() for any other type. Fix this by adding netfs_limit_kvec() following the same pattern as netfs_limit_bvec(), since both kvec and bvec are simple segment arrays with pointer and length fields. Dispatch it from netfs_limit_iter() when the iterator type is ITER_KVEC.
Title netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:42.611Z

Reserved: 2026-03-09T15:48:24.090Z

Link: CVE-2026-31438

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:37.100

Modified: 2026-05-19T22:08:30.177

Link: CVE-2026-31438

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31438 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T00:00:16Z

Weaknesses