{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31438", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.090Z", "datePublished": "2026-04-22T13:53:37.053Z", "dateUpdated": "2026-05-11T22:08:42.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:42.611Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators\n\nWhen a process crashes and the kernel writes a core dump to a 9P\nfilesystem, __kernel_write() creates an ITER_KVEC iterator. This\niterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which\nonly handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,\nhitting the BUG() for any other type.\n\nFix this by adding netfs_limit_kvec() following the same pattern as\nnetfs_limit_bvec(), since both kvec and bvec are simple segment arrays\nwith pointer and length fields. Dispatch it from netfs_limit_iter() when\nthe iterator type is ITER_KVEC."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/netfs/iterator.c"], "versions": [{"version": "cae932d3aee55035a54415dcea8e7ecf2ec469b5", "lessThan": "18c2e20b42dd21db599e42d05ddaeeb647b2bb6d", "status": "affected", "versionType": "git"}, {"version": "cae932d3aee55035a54415dcea8e7ecf2ec469b5", "lessThan": "4bc2d72c7695cedf6d4e1a558924903c2b28a78e", "status": "affected", "versionType": "git"}, {"version": "cae932d3aee55035a54415dcea8e7ecf2ec469b5", "lessThan": "00d6df7115f6972370974212de9088087820802e", "status": "affected", "versionType": "git"}, {"version": "cae932d3aee55035a54415dcea8e7ecf2ec469b5", "lessThan": "67e467a11f62ff64ad219dc6aa5459e132c79d14", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/netfs/iterator.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/18c2e20b42dd21db599e42d05ddaeeb647b2bb6d"}, {"url": "https://git.kernel.org/stable/c/4bc2d72c7695cedf6d4e1a558924903c2b28a78e"}, {"url": "https://git.kernel.org/stable/c/00d6df7115f6972370974212de9088087820802e"}, {"url": "https://git.kernel.org/stable/c/67e467a11f62ff64ad219dc6aa5459e132c79d14"}], "title": "netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators\n\nWhen a process crashes and the kernel writes a core dump to a 9P\nfilesystem, __kernel_write() creates an ITER_KVEC iterator. This\niterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which\nonly handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,\nhitting the BUG() for any other type.\n\nFix this by adding netfs_limit_kvec() following the same pattern as\nnetfs_limit_bvec(), since both kvec and bvec are simple segment arrays\nwith pointer and length fields. Dispatch it from netfs_limit_iter() when\nthe iterator type is ITER_KVEC."}], "id": "CVE-2026-31438", "lastModified": "2026-04-23T16:17:41.280", "metrics": {}, "published": "2026-04-22T14:16:37.100", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/00d6df7115f6972370974212de9088087820802e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18c2e20b42dd21db599e42d05ddaeeb647b2bb6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4bc2d72c7695cedf6d4e1a558924903c2b28a78e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67e467a11f62ff64ad219dc6aa5459e132c79d14"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators", "id": "2460733", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460733"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-843", "details": ["A flaw was found in the Linux kernel's netfs component. When a process crashes and the kernel attempts to write a core dump to a 9P filesystem, the `netfs_limit_iter()` function does not properly handle `ITER_KVEC` iterators. This oversight can lead to a kernel BUG, resulting in a system crash and a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-31438", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31438\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31438\nhttps://lore.kernel.org/linux-cve-announce/2026042243-CVE-2026-31438-66c2@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cae932d3aee55035a54415dcea8e7ecf2ec469b5,18c2e20b42dd21db599e42d05ddaeeb647b2bb6d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cae932d3aee55035a54415dcea8e7ecf2ec469b5,4bc2d72c7695cedf6d4e1a558924903c2b28a78e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cae932d3aee55035a54415dcea8e7ecf2ec469b5,00d6df7115f6972370974212de9088087820802e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[cae932d3aee55035a54415dcea8e7ecf2ec469b5,67e467a11f62ff64ad219dc6aa5459e132c79d14)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:16:22.003545+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the netfs_limit_kvec patch.", "Restrict 9P mounts to trusted users and avoid using 9P as a core dump target.", "Redirect core dumps to a non-9P filesystem or custom handler if an immediate kernel upgrade is not possible."], "summary": {"action": "Apply Patch", "impact": "Kernel panic (denial of service)"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include 9P filesystem support and have not yet applied the netfs_limit_kvec patch are affected. This includes all releases prior to the commit that added the patch. No specific version ranges are listed, so any Linux kernel built without the fix is vulnerable.", "description_and_impact": "A kernel assertion bug exists in the 9P filesystem path when the kernel writes a core dump to a 9P filesystem. The core dump routine creates an ITER_KVEC iterator that is not handled by netfs_limit_iter(), causing the kernel to invoke BUG() and panic. The result is a denial of service from a system crash. The flaw involves incorrect handling of iterator types, which corresponds to CWE-843.", "risk_and_exploitability": "The EPSS score of < 1% indicates a very low but nonzero exploitation probability, and the CVSS score of 7.0 reflects moderate severity. The vulnerability is not listed in the CISA KEV catalog. It can be triggered locally when a process crashes on a 9P mount, causing the kernel to panic. Based on the description, it is inferred that a remote attacker would need to invoke privileged code or force a process crash to trigger the bug. No public exploits are known, but the kernel instability could cause a moderate-to-high impact if exploited."}}}}, "created": "2026-04-22T16:30:21.825969+00:00", "updated": "2026-04-29T00:30:16.111584+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}