VYPR
← All advisories
High severity8.8NVD Advisory· Published Apr 22, 2026· Updated Apr 27, 2026

CVE-2026-31435

CVE-2026-31435

Description

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix read abandonment during retry

Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes).

Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set).

Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's netfs subsystem, a bug during read retry can cause all remaining subrequests to be abandoned, leading to data loss or corruption.

Vulnerability

Overview

CVE-2026-31435 is a high-severity bug in the Linux kernel's netfs (network filesystem) layer. Under certain circumstances, when a read request is retried, all remaining subrequests may be incorrectly abandoned. The abandonment logic expects the 'subreq' variable to point to the starting subrequest for abandonment, but this variable can be uninitialized on the first loop pass or may reference a deleted subrequest on subsequent passes. This leads to the abandonment of subrequests that should have been retried, potentially causing data loss or corruption.

Exploitation

An attacker would need to trigger a read retry scenario in a netfs-based filesystem (e.g., NFS, CIFS, or AFS). The bug is triggered during the retry path when the kernel attempts to handle subrequests that have the NEED_RETRY flag set. The fix ensures that the 'subreq' variable is properly set to the first subrequest expected to need retry before jumping to the abandonment code, and clears the pointer after discarding superfluous retryable subrequests to prevent use-after-free.

Impact

Successful exploitation could lead to denial of service (system crash or hang) or data corruption for filesystem operations. The CVSS v3 score of 8.8 indicates high impact on confidentiality, integrity, and availability, though the attack complexity is high and requires local access or a specific network condition.

Mitigation

The vulnerability is fixed in the Linux kernel stable releases. Patches are available in commits [1], [2], and [3] (though the reference URLs are behind an Anubis challenge, the commit hashes are provided). Users should update their kernel to a version containing the fix. No workaround is documented.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.