CVE-2026-31437
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux netfs Unbuffered Write Retry

Publication date: 2026-04-22

Last updated on: 2026-05-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31437
EUVD
EUVD-2026-24762
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.18.17 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19.7 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfs subsystem, specifically in the netfs_unbuffered_write() function. When a write subrequest is marked as needing a retry (NETFS_SREQ_NEED_RETRY), the function attempts to call stream->prepare_write() without checking if this pointer is NULL.

Some filesystems, like 9P, do not set the prepare_write operation, leaving stream->prepare_write as NULL. If get_user_pages() fails with an -EFAULT error and the subrequest is flagged for retry, this leads to a NULL pointer dereference at fs/netfs/direct_write.c:189, causing a potential crash or instability.

The fix involves checking if stream->prepare_write is NULL before calling it. If it is NULL, the code skips renegotiation and directly reissues the subrequest using netfs_reissue_write(), which safely handles the retry process.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability when certain write operations are retried on affected filesystems like 9P.

Such crashes can result in denial of service (DoS) conditions, potentially disrupting normal system operations and affecting availability.

Mitigation Strategies

The vulnerability has been resolved by fixing the NULL pointer dereference in the Linux kernel's netfs_unbuffered_write() function. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates or patches that address this issue.
  • Avoid using vulnerable kernel versions that do not include the fix for the NULL pointer dereference in netfs_unbuffered_write().
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart