CVE-2026-43470 (GCVE-0-2026-43470)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI
Title
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Summary
In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 7e2963773760a664684435201960dd2fb712f1b5 (git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 203c792cb4315360d49973ae2e57feeb6d3dcf7e (git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 9ee1770fcb2f1b48354622b926e7dc10222805f5 (git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 410666a298c34ebd57256fde6b24c96bd23059a2 (git)
Create a notification for this product.
Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs3proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e2963773760a664684435201960dd2fb712f1b5",
              "status": "affected",
              "version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
              "versionType": "git"
            },
            {
              "lessThan": "203c792cb4315360d49973ae2e57feeb6d3dcf7e",
              "status": "affected",
              "version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
              "versionType": "git"
            },
            {
              "lessThan": "9ee1770fcb2f1b48354622b926e7dc10222805f5",
              "status": "affected",
              "version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
              "versionType": "git"
            },
            {
              "lessThan": "410666a298c34ebd57256fde6b24c96bd23059a2",
              "status": "affected",
              "version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs3proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don\u0027t return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don\u0027t attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:25:13.820Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2"
        }
      ],
      "title": "nfs: return EISDIR on nfs3_proc_create if d_alias is a dir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43470",
    "datePublished": "2026-05-08T14:22:30.218Z",
    "dateReserved": "2026-05-01T14:12:56.011Z",
    "dateUpdated": "2026-05-11T22:25:13.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43470",
      "date": "2026-05-28",
      "epss": "0.00013",
      "percentile": "0.02161"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43470\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:17:00.090\",\"lastModified\":\"2026-05-21T13:59:48.260\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\\n\\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\\n/d_splice_alias which happens to be a dir dentry, we don\u0027t return\\nany error, and simply forget about this alias, but the original\\ndentry we were adding and passed as parameter remains negative.\\n\\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\\nsupply a negative dentry to do_dentry_open.\\n\\nThis has been observed running lustre-racer, where dirs and files are\\ncreated/removed concurrently with the same name and O_EXCL is not\\nused to open files (frequent file redirection).\\n\\nWhile d_splice_alias typically returns a directory alias or NULL, we\\nexplicitly check d_is_dir() to ensure that we don\u0027t attempt to perform\\nfile operations (like finish_open) on a directory inode, which triggers\\nthe observed oops.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.12.78\",\"matchCriteriaId\":\"DA007D53-8D99-404A-8E76-341B5D45F5B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.19\",\"matchCriteriaId\":\"D394AC60-6F28-435F-872A-CCDF384B8331\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.9\",\"matchCriteriaId\":\"E825E7C3-FEAC-4FD3-8A81-78D7387948C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.