CVE-2026-43470
Received Received - Intake
Directory Alias Handling Flaw in Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43470
EUVD
EUVD-2026-28776
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
lustre lustre_racer *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's NFS (Network File System) implementation. Specifically, when creating files using NFS version 3, if an alias found during the creation process happens to be a directory, the system does not return an error as it should. Instead, it ignores the alias but leaves the original directory entry (dentry) in a negative state.

Later, this negative dentry causes a kernel oops (a type of crash) during file open operations because the system attempts to perform file operations on what it thinks is a file but is actually a directory. This issue was observed in scenarios where directories and files are created and removed concurrently with the same name, especially when exclusive file opening flags are not used.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel oops) when performing certain file operations over NFS. Such crashes can lead to system instability, potential denial of service, and disruption of services relying on NFS file operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart