Description
In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map

The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
during btree operations. However, nilfs_mdt_save_to_shadow_map()
assumes i_assoc_inode is already initialized when copying dirty pages
to the shadow map during GC.

If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before
any btree operation has occurred on the DAT inode, i_assoc_inode is
NULL leading to a general protection fault.

Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode
in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always
initialized before any GC operation can use it.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Linux NILFS2 filesystem driver allows an attacker to trigger a null pointer dereference when a NILFS_IOCTL_CLEAN_SEGMENTS ioctl is issued immediately after mounting the filesystem, before any btree operations on the DAT inode have occurred. This flaw can lead to a general protection fault and a kernel crash, denying service for the affected system. The weakness is a classic NULL pointer dereference (CWE‑476) and a concurrent misuse of uninitialized data (CWE‑824) that occurs during the garbage collection process.

Affected Systems

All Linux systems that run a kernel incorporating the NILFS2 driver prior to the patch provided in commit 41de342278ae025c99cc8d33648773f05e306cf1. The issue affects the infrastructure that mounts and uses the Nilfs2 filesystem, regardless of distribution, because the vulnerability resides in the core kernel code rather than a distribution‑specific module.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of < 1% shows a very low estimated probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user who can perform the NILFS_IOCTL_CLEAN_SEGMENTS ioctl on a mounted Nilfs2 filesystem; a privileged or unprivileged user can cause the fault once the ioctl is invoked before any btree activity has initialized the i_assoc_inode cache. The attack results in a kernel panic and a denial of service.

Generated by OpenCVE AI on April 28, 2026 at 23:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel update that incorporates commit 41de342278ae025c99cc8d33648773f05e306cf1 to ensure i_assoc_inode is initialized on mount.
  • Restart the system using the updated kernel to load the corrected NILFS2 driver and prevent potential kernel crashes.
  • When possible, restrict or defer use of the NILFS_IOCTL_CLEAN_SEGMENTS ioctl until after normal btree operations have been performed on the DAT inode; consider disabling the ioctl in applications that do not require immediate segment cleaning.

Generated by OpenCVE AI on April 28, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map() assumes i_assoc_inode is already initialized when copying dirty pages to the shadow map during GC. If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before any btree operation has occurred on the DAT inode, i_assoc_inode is NULL leading to a general protection fault. Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always initialized before any GC operation can use it.
Title nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:28.945Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31577

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.347

Modified: 2026-04-27T20:41:46.103

Link: CVE-2026-31577

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31577 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses