Description
In the Linux kernel, the following vulnerability has been resolved:

erofs: add GFP_NOIO in the bio completion if needed

The bio completion path in the process context (e.g. dm-verity)
will directly call into decompression rather than trigger another
workqueue context for minimal scheduling latencies, which can
then call vm_map_ram() with GFP_KERNEL.

Due to insufficient memory, vm_map_ram() may generate memory
swapping I/O, which can cause submit_bio_wait to deadlock
in some scenarios.

Trimmed down the call stack, as follows:

f2fs_submit_read_io
submit_bio //bio_list is initialized.
mmc_blk_mq_recovery
z_erofs_endio
vm_map_ram
__pte_alloc_kernel
__alloc_pages_direct_reclaim
shrink_folio_list
__swap_writepage
submit_bio_wait //bio_list is non-NULL, hang!!!

Use memalloc_noio_{save,restore}() to wrap up this path.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Linux kernels that use the erofs filesystem, an insufficient‑memory condition can cause the kernel to initiate swap I/O while mapping RAM. The bio completion path, which runs in the process context of services such as dm‑verity, directly calls into decompression and then vm_map_ram(). If vm_map_ram() must perform swapping, submit_bio_wait can deadlock because it blocks waiting for a bio that has already been queued. This kernel deadlock causes the system to become unresponsive, effectively a denial‑of‑service attack. The weakness is a flawed kernel memory allocation path that can result in a deadlock (CWE-667).

Affected Systems

All Linux kernel implementations that contain the erofs filesystem are potentially affected, including systems from all major distributions. The vulnerability is present in any kernel version that has not yet incorporated the patch that adds GFP_NOIO to the bio completion path. Devices that use dm‑verity or erofs for integrity checks, such as certain embedded or server systems, fall under the affected umbrella.

Risk and Exploitability

The vulnerability is not listed in CISA’s known‑exploited vulnerabilities catalog. The EPSS score of approximately 0.07% indicates a very low likelihood of exploitation, even though it is still within the “< 1%” bucket. The attack still requires a constrained‑memory environment that triggers a swap during the erofs read operation. If such a scenario is achieved, the kernel can deadlock, causing a system‑wide denial of service. The attack vector is inferred to be local; a privileged or local process is needed to trigger the erofs read under low‑memory conditions. Given the severe impact but the very low exploitation probability, the risk remains notable for systems lacking the patch.

Generated by OpenCVE AI on May 7, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the commit adding GFP_NOIO to the erofs bio completion path.
  • If an official updated kernel is not available, apply the patch manually from the provided source and rebuild the kernel.
  • Reboot the system to load the updated kernel.

Generated by OpenCVE AI on May 7, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Tue, 28 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call stack, as follows: f2fs_submit_read_io submit_bio //bio_list is initialized. mmc_blk_mq_recovery z_erofs_endio vm_map_ram __pte_alloc_kernel __alloc_pages_direct_reclaim shrink_folio_list __swap_writepage submit_bio_wait //bio_list is non-NULL, hang!!! Use memalloc_noio_{save,restore}() to wrap up this path.
Title erofs: add GFP_NOIO in the bio completion if needed
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:17.969Z

Reserved: 2026-03-09T15:48:24.097Z

Link: CVE-2026-31467

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:42.977

Modified: 2026-05-07T18:21:40.090

Link: CVE-2026-31467

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31467 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses