CVE-2026-31438

Vulnerability

Overview

A kernel BUG was discovered in the Linux kernel's netfs_limit_iter() function, triggered when an iterator of type ITER_KVEC reaches it. This occurs because netfs_unbuffered_write() only handles ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY iterator types, while a process crash writing a core dump to a 9P filesystem creates an ITER_KVEC iterator via __kernel_write(). The unhandled type hits the BUG() in netfs_limit_iter(), causing a kernel panic (system crash) [1][2][3][4].

Exploitation

Exploitation requires a local attacker with the ability to trigger a process crash while the system is writing a core dump to a 9P filesystem. The attacker does not need special privileges beyond those needed to cause a crash (e.g., through a user process). The attack surface is limited to systems using the 9P network filesystem for core dumps, which is a relatively uncommon configuration. No authentication is needed for the process that crashes, but the system must be configured with 9P as the core dump target.

Impact

A successful trigger results in a kernel BUG (panic), causing a denial of service (DoS) condition — the entire system crashes or becomes unavailable. The impact is limited to availability; there is no evidence of privilege escalation or data compromise. The CVSS v3 score of 5.5 (Medium) reflects this local, high-impact DoS with a specific prerequisite [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via multiple commits, including 4bc2d72c7695, 67e467a11f62, 00d6df7115f6, and 18c2e20b42dd [1][2][3][4]. The fix adds a netfs_limit_kvec() handler following the pattern of netfs_limit_bvec(), so that ITER_KVEC iterators are properly handled without hitting the BUG(). System administrators should apply the latest stable kernel updates containing this patch. No workaround is available beyond avoiding the use of 9P for core dumps until the patch is applied.