Description
In the Linux kernel, the following vulnerability has been resolved:

nfs: return EISDIR on nfs3_proc_create if d_alias is a dir

If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.

This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.

This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).

While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in the NFSv3 creation path of the Linux kernel. When the server resolves a create request and encounters an alias that points to a directory, it fails to return an error and silently discards the alias. This leaves the intended file dentry in a negative state, which is later passed to the open path and triggers a kernel panic. The resulting crash causes the NFS server, and potentially the whole host, to become unreachable.

Affected Systems

All Linux kernel builds that include the unpatched NFSv3 implementation are affected. No specific version numbers are supplied, so any distribution running a kernel before the commit that fixed this behavior is vulnerable. The CVE does not distinguish between distributions; thus standard Linux servers exposing an NFSv3 service are at risk.

Risk and Exploitability

A remote attacker with network access to an NFS server can trigger the bug by issuing create operations on a name that simultaneously exists as a directory alias, especially when O_EXCL is not used. The likely attack vector is a crafted NFS client request. The CVSS score of 5.5 indicates medium severity, and with an EPSS score of 0.00018 (indicating a very low probability of exploitation), and not listed in the CISA KEV catalog, the vulnerability poses a moderate risk of denial of service that can be exercised remotely. No public exploit has been observed, yet the straightforward trigger makes the vulnerability moderately exploitable.

Generated by OpenCVE AI on May 9, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that incorporates the NFSv3 fix or upgrade to a kernel version that includes the commit.
  • If a patch cannot be applied immediately, restrict NFS traffic to trusted hosts by configuring firewall rules or disabling NFSv3 on the server.
  • Consider disabling NFSv3 entirely and using NFSv4 only, or block NFS create requests that could trigger the bug until a patch is available.

Generated by OpenCVE AI on May 9, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398
CWE-665

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398
CWE-665

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops.
Title nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:30.218Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43470

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:17:00.090

Modified: 2026-05-08T15:17:00.090

Link: CVE-2026-43470

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43470 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses