CVE-2026-31402
Received Received - Intake
Heap Overflow in Linux Kernel NFSv4.0 LOCK Replay Cache

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31402
EUVD
EUVD-2026-18786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a heap overflow in the Linux kernel's NFSv4.0 LOCK replay cache. The replay cache uses a fixed-size buffer to store encoded operation responses, but this buffer size was calculated based on certain responses and does not account for LOCK denied responses that can include a large variable-length field. When a LOCK operation is denied due to a conflict with an existing lock that has a large owner string, the system copies the full encoded response into an undersized buffer without checking its size. This causes a write beyond the buffer's boundary, corrupting adjacent heap memory.

The vulnerability can be triggered remotely by an unauthenticated attacker using two cooperating NFSv4.0 clients: one sets a lock with a large owner string, and the other requests a conflicting lock to provoke the denial and trigger the overflow.

The fix involves checking the encoded response length before copying it into the replay buffer and skipping caching the replay payload if it is too large, preventing the overflow.


How can this vulnerability impact me? :

This vulnerability can lead to heap memory corruption in the Linux kernel's NFS server component. Such corruption may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Since the vulnerability can be triggered remotely by unauthenticated attackers, it poses a significant security risk to systems running vulnerable versions of the Linux kernel with NFSv4.0 enabled.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version where the nfsd heap overflow in the NFSv4.0 LOCK replay cache is resolved.

Specifically, the fix involves checking the encoded response length before copying it into the replay buffer to prevent buffer overflow, and skipping caching the replay payload if it is too large.

Therefore, the immediate mitigation step is to apply the kernel update that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart