CVE-2026-43470
Description
In the Linux kernel, the following vulnerability has been resolved:
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in the Linux kernel's NFSv3 client can cause an oops when a file creation races with a directory creation of the same name, returning a negative dentry to the open path.
Root
Cause
The vulnerability resides in the NFSv3 client's nfs3_proc_create function. When a file creation operation (nfs3_do_create) encounters an existing directory alias via d_splice_alias, the alias`, the code fails to return an error. Instead, it silently discards the alias and leaves the original dentry in a negative state. This violates the expectation that a successful create returns a positive dentry.
Exploitation
An attacker with the ability to create and delete files and directories on an NFSv3 share can trigger this race condition. By concurrently creating a directory and a file with the same name (without using O_EXCL), the client's create operation may find the directory alias and mishandle it. No special privileges required are file creation and deletion on the NFS export; no special network position is needed beyond normal NFS client access.
Impact
When the kernel later calls nfs_atomic_open_v23 or finish_open on the negative dentry, it attempts to open a file on a directory inode, causing a kernel oops (NULL pointer dereference or similar). This results in a denial of service for the NFS client system. The bug was observed in the wild with the lustre-racer test suite.
Mitigation
The fix is included in Linux kernel commit 7e2963773760a664684435201960dd2fb712f1b5 [1]. The patch adds an explicit d_is_dir() check after d_splice_alias to return -EISDIR when a directory alias is encountered, preventing the negative dentry from reaching the open path. Users should apply the latest stable kernel updates containing this commit.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.