CVE-2026-31438
Analyzed Analyzed - Analysis Complete
Kernel BUG Triggered by Improper Iterator Handling in Linux netfs

Publication date: 2026-04-22

Last updated on: 2026-05-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators When a process crashes and the kernel writes a core dump to a 9P filesystem, __kernel_write() creates an ITER_KVEC iterator. This iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types, hitting the BUG() for any other type. Fix this by adding netfs_limit_kvec() following the same pattern as netfs_limit_bvec(), since both kvec and bvec are simple segment arrays with pointer and length fields. Dispatch it from netfs_limit_iter() when the iterator type is ITER_KVEC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31438
EUVD
EUVD-2026-24764
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.8 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfs subsystem. When a process crashes and the kernel attempts to write a core dump to a 9P filesystem, it uses an iterator of type ITER_KVEC in the __kernel_write() function. However, the netfs_limit_iter() function, which is called during this process, only handles certain iterator types (ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY). When it encounters the ITER_KVEC type, it triggers a kernel BUG() because it is not handled properly.

The fix involved adding support for the ITER_KVEC iterator type by implementing netfs_limit_kvec(), similar to the existing netfs_limit_bvec(), and dispatching it correctly from netfs_limit_iter(). This prevents the kernel BUG from occurring when handling ITER_KVEC iterators.

Impact Analysis

This vulnerability can cause the Linux kernel to hit a BUG() and potentially crash or become unstable when writing core dumps to a 9P filesystem after a process crash. This could lead to system instability or denial of service conditions during such events.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart