CVE-2026-31437
Received Received - Intake
NULL Pointer Dereference in Linux netfs Unbuffered Write Retry

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31437
EUVD
EUVD-2026-24762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfs subsystem, specifically in the netfs_unbuffered_write() function. When a write subrequest is marked as needing a retry (NETFS_SREQ_NEED_RETRY), the function attempts to call stream->prepare_write() without checking if this pointer is NULL.

Some filesystems, like 9P, do not set the prepare_write operation, leaving stream->prepare_write as NULL. If get_user_pages() fails with an -EFAULT error and the subrequest is flagged for retry, this leads to a NULL pointer dereference at fs/netfs/direct_write.c:189, causing a potential crash or instability.

The fix involves checking if stream->prepare_write is NULL before calling it. If it is NULL, the code skips renegotiation and directly reissues the subrequest using netfs_reissue_write(), which safely handles the retry process.


How can this vulnerability impact me? :

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability when certain write operations are retried on affected filesystems like 9P.

Such crashes can result in denial of service (DoS) conditions, potentially disrupting normal system operations and affecting availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the NULL pointer dereference in the Linux kernel's netfs_unbuffered_write() function. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates or patches that address this issue.
  • Avoid using vulnerable kernel versions that do not include the fix for the NULL pointer dereference in netfs_unbuffered_write().

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart