{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31577", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.119Z", "datePublished": "2026-04-24T14:42:08.879Z", "dateUpdated": "2026-05-11T22:11:28.945Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:28.945Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode's btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nilfs2/dat.c"], "versions": [{"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "7318e3549518ce8f14776a489d86488d80d7e2c8", "status": "affected", "versionType": "git"}, {"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "449ec5fc99f45974525ba9eea16b6670c45cd363", "status": "affected", "versionType": "git"}, {"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "c36e206f302f1ddefed92d09ecbba070e1ae079e", "status": "affected", "versionType": "git"}, {"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "41de342278ae025c99cc8d33648773f05e306cf1", "status": "affected", "versionType": "git"}, {"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "97fb7afec404912d967a7d4715f37742666b3084", "status": "affected", "versionType": "git"}, {"version": "e897be17a441fa637cd166fc3de1445131e57692", "lessThan": "4a4e0328edd9e9755843787d28f16dd4165f8b48", "status": "affected", "versionType": "git"}, {"version": "6c3da8c0a35bbafe359d9166269d5590f29664de", "status": "affected", "versionType": "git"}, {"version": "605babb979c213737618b1c837e89624e5ab11fd", "status": "affected", "versionType": "git"}, {"version": "307d021b1a7f33048b624f7aaeaa75e3eae571f1", "status": "affected", "versionType": "git"}, {"version": "d626fcdabea2258be395a775bdbe09270e9bf73d", "status": "affected", "versionType": "git"}, {"version": "d05cc5395e36711edad8bdef6945f138d8a7097b", "status": "affected", "versionType": "git"}, {"version": "1829b24a36ca12ca95b96d5478faeff40c17f2b6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nilfs2/dat.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.1-rc1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.296"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.245"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.196"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.118"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7318e3549518ce8f14776a489d86488d80d7e2c8"}, {"url": "https://git.kernel.org/stable/c/449ec5fc99f45974525ba9eea16b6670c45cd363"}, {"url": "https://git.kernel.org/stable/c/c36e206f302f1ddefed92d09ecbba070e1ae079e"}, {"url": "https://git.kernel.org/stable/c/41de342278ae025c99cc8d33648773f05e306cf1"}, {"url": "https://git.kernel.org/stable/c/97fb7afec404912d967a7d4715f37742666b3084"}, {"url": "https://git.kernel.org/stable/c/4a4e0328edd9e9755843787d28f16dd4165f8b48"}], "title": "nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "14109CEF-714B-4029-A318-97AA58A01833", "versionEndExcluding": "6.6.136", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode's btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it."}], "id": "CVE-2026-31577", "lastModified": "2026-04-27T20:41:46.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:32.347", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/41de342278ae025c99cc8d33648773f05e306cf1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/449ec5fc99f45974525ba9eea16b6670c45cd363"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4a4e0328edd9e9755843787d28f16dd4165f8b48"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7318e3549518ce8f14776a489d86488d80d7e2c8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/97fb7afec404912d967a7d4715f37742666b3084"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c36e206f302f1ddefed92d09ecbba070e1ae079e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map", "id": "2461561", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461561"}, "csaw": false, "cwe": "CWE-824", "details": ["A flaw was found in the `nilfs2` filesystem within the Linux kernel. A local user can trigger a null pointer dereference by calling the `NILFS_IOCTL_CLEAN_SEGMENTS` operation immediately after mounting the filesystem, but before any btree operations have occurred on the Data Allocation Table (DAT) inode. This can lead to a general protection fault, resulting in a system crash and a Denial of Service (DoS)."], "name": "CVE-2026-31577", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31577\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31577\nhttps://lore.kernel.org/linux-cve-announce/2026042410-CVE-2026-31577-5e81@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,7318e3549518ce8f14776a489d86488d80d7e2c8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,449ec5fc99f45974525ba9eea16b6670c45cd363)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,c36e206f302f1ddefed92d09ecbba070e1ae079e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,41de342278ae025c99cc8d33648773f05e306cf1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,97fb7afec404912d967a7d4715f37742666b3084)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e897be17a441fa637cd166fc3de1445131e57692,4a4e0328edd9e9755843787d28f16dd4165f8b48)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "6c3da8c0a35bbafe359d9166269d5590f29664de"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "605babb979c213737618b1c837e89624e5ab11fd"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "307d021b1a7f33048b624f7aaeaa75e3eae571f1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "d626fcdabea2258be395a775bdbe09270e9bf73d"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "d05cc5395e36711edad8bdef6945f138d8a7097b"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "1829b24a36ca12ca95b96d5478faeff40c17f2b6"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:44:46.170581+00:00", "value": {"mitigation_remediation": ["Apply the Linux kernel update that incorporates commit 41de342278ae025c99cc8d33648773f05e306cf1 to ensure i_assoc_inode is initialized on mount.", "Restart the system using the updated kernel to load the corrected NILFS2 driver and prevent potential kernel crashes.", "When possible, restrict or defer use of the NILFS_IOCTL_CLEAN_SEGMENTS ioctl until after normal btree operations have been performed on the DAT inode; consider disabling the ioctl in applications that do not require immediate segment cleaning."], "summary": {"action": "Patch Now", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "All Linux systems that run a kernel incorporating the NILFS2 driver prior to the patch provided in commit 41de342278ae025c99cc8d33648773f05e306cf1. The issue affects the infrastructure that mounts and uses the Nilfs2 filesystem, regardless of distribution, because the vulnerability resides in the core kernel code rather than a distribution\u2011specific module.", "description_and_impact": "The vulnerability in the Linux NILFS2 filesystem driver allows an attacker to trigger a null pointer dereference when a NILFS_IOCTL_CLEAN_SEGMENTS ioctl is issued immediately after mounting the filesystem, before any btree operations on the DAT inode have occurred. This flaw can lead to a general protection fault and a kernel crash, denying service for the affected system. The weakness is a classic NULL pointer dereference (CWE\u2011476) and a concurrent misuse of uninitialized data (CWE\u2011824) that occurs during the garbage collection process.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of <\u202f1% shows a very low estimated probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user who can perform the NILFS_IOCTL_CLEAN_SEGMENTS ioctl on a mounted Nilfs2 filesystem; a privileged or unprivileged user can cause the fault once the ioctl is invoked before any btree activity has initialized the i_assoc_inode cache. The attack results in a kernel panic and a denial of service."}}}}, "created": "2026-04-27T19:00:15.727586+00:00", "updated": "2026-04-28T23:45:16.063473+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}