VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated May 19, 2026

CVE-2026-31437

CVE-2026-31437

Description

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in netfs_unbuffered_write() on retry can trigger a crash when filesystems like 9P lack prepare_write.

Root

Cause

The vulnerability is a NULL pointer dereference in netfs_unbuffered_write() inside the Linux kernel's netfs subsystem. When a write subrequest is marked NETFS_SREQ_NEED_RETRY (e.g., after get_user_pages() fails with -EFAULT), the retry path unconditionally calls stream->prepare_write() without verifying that the function pointer is non-NULL. Filesystems like 9P do not set the prepare_write operation, leaving it as NULL, which leads to a crash at fs/netfs/direct_write.c:189 [1].

Exploitation

An attacker capable of triggering a write failure that results in a retry—such as causing a -EFAULT from get_user_pages()—on a filesystem that does not define prepare_write (e.g., 9P) can cause the kernel to dereference a NULL pointer. This requires local access or the ability to mount and use such a filesystem, leading to a denial of service [2].

Impact

Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (Oops) or panic. This is a denial-of-service vulnerability with no privilege escalation or data corruption described in the sources.

Mitigation

The fix, already applied to the stable kernel tree, mirrors the pattern used in write_retry.c: if stream->prepare_write is NULL, the code skips the renegotiation and directly reissues the subrequest via netfs_reissue_write(), which handles iterator reset and flags properly. Users should apply the patch or update to a kernel version including the commit 7a5482f5ce89 [1][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.