VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Apr 3, 2026· Updated May 20, 2026

CVE-2026-31402

CVE-2026-31402

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).

When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory.

This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial.

We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large.

Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap overflow in Linux kernel NFSv4.0 replay cache allows remote attackers to corrupt heap via crafted LOCK requests.

Vulnerability

Details The NFSv4.0 replay cache in the Linux kernel uses a fixed 112-byte inline buffer to store encoded operation responses. This buffer size was calculated based on OPEN responses and does not account for LOCK denied responses, which can include a variable-length conflicting lock owner field up to 1024 bytes. When a LOCK operation is denied, nfsd4_encode_operation() copies the full encoded response into the undersized buffer via read_bytes_from_xdr_buf() without bounds checking, resulting in a slab-out-of-bounds write of up to 944 bytes past the buffer end [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by using two cooperating NFSv4.0 clients. The first client sets a lock with a large owner string (up to 1024 bytes), and the second client requests a conflicting lock to provoke a denial response. The large owner is then copied into the replay buffer, causing the heap overflow.

Impact

Successful exploitation corrupts adjacent heap memory, potentially leading to system crash or arbitrary code execution. Given the unauthenticated remote attack vector and the critical severity (CVSS 9.8), this vulnerability poses a significant threat to systems running the affected Linux kernel versions.

Mitigation

The fix has been backported to stable kernel trees. Instead of increasing the buffer size (which would waste memory for most lock owners), the patch checks the encoded response length against the buffer capacity. If the response exceeds the limit, the replay caching of the payload is skipped while the status is still cached. Administrators should apply the latest kernel updates from their distribution [2][3][4].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.