CVE-2026-57918 - Vulnerability Details

Description

libnfs through 6.0.2 before 935b8db has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker.

Published: 2026-06-26

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

libnfs through version 6.0.2, before commit 935b8db, contains an xid integer underflow in the READ_IOVEC routine inside rpc_read_from_socket. During a connection to a crafted NFS server, the expected PDU size can exceed the actual size derived from the xid/record marker, causing the integer to underflow. This underflow leads to an out‑of‑bounds memory operation, which may corrupt memory and present a serious risk for code execution or service disruption.

Affected Systems

All releases of the sahlberg libnfs library up to and including version 6.0.2 are affected. The vulnerability is rectified by commit 935b8db; applying this commit or any later release that includes it resolves the issue. Systems running older releases are at risk unless the update is applied.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity. The vulnerability is remote; it requires an attacker to control an NFS server and communicate with the vulnerable client. No exploit evidence is currently available and the EPSS score is not reported, but the fault nature suggests real‑’s KEV not yet a known actively exploited weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

sahlberg

libnfs

unaffected

Version	Status	Constraints
`0`	affected	< 935b8db712b3c6649bc57ddc276526c4a31680de

No data.

Vendor Product Confidence Versions

Sahlberg

Libnfs

100%

Version	Status	Scheme	Platform
`[0,935b8db712b3c6649bc57ddc276526c4a31680de)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a version of libnfs that includes commit 935b8db, or apply the patch manually if no such release is available.
Limit libnfs client connections to trusted NFS servers only, blocking any unknown or untrusted endpoints from initiating connections.
Segregate systems using libnfs from external networks with firewall or network segmentation until the patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00195.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/sahlberg/libnfs/commit/935b8db712b3c6649bc57ddc276526c4a31680de

History

Fri, 26 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sahlberg Sahlberg libnfs
Vendors & Products		Sahlberg Sahlberg libnfs

Fri, 26 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Title	libnfs Integer Underflow during RPC Read

Fri, 26 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Title		libnfs Integer Underflow during RPC Read

Fri, 26 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description	libnfs through 6.0.2 before f0b109d has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker.	libnfs through 6.0.2 before 935b8db has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker.

Fri, 26 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description		libnfs through 6.0.2 before f0b109d has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker.
Weaknesses		CWE-191
References		https://github.com/sahlberg/libnfs/commit/935b8db712b3c6649bc57ddc276526c4a31680de
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}`

Subscriptions

Sahlberg Libnfs

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-26T10:54:58.162Z

Updated: 2026-06-26T12:01:20.691Z

Reserved: 2026-06-26T10:54:57.765Z

Link: CVE-2026-57918

Vulnrichment

Updated: 2026-06-26T12:01:17.595Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T14:45:06Z

Weaknesses

CWE-191
Integer Underflow (Wrap or Wraparound)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object