GHSA-H3HR-9QQW-CVG3

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-22 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31437"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry\n\nWhen a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path\nin netfs_unbuffered_write() unconditionally calls stream-\u003eprepare_write()\nwithout checking if it is NULL.\n\nFilesystems such as 9P do not set the prepare_write operation, so\nstream-\u003eprepare_write remains NULL. When get_user_pages() fails with\n-EFAULT and the subrequest is flagged for retry, this results in a NULL\npointer dereference at fs/netfs/direct_write.c:189.\n\nFix this by mirroring the pattern already used in write_retry.c: if\nstream-\u003eprepare_write is NULL, skip renegotiation and directly reissue\nthe subrequest via netfs_reissue_write(), which handles iterator reset,\nIN_PROGRESS flag, stats update and reissue internally.",
  "id": "GHSA-h3hr-9qqw-cvg3",
  "modified": "2026-04-22T15:31:40Z",
  "published": "2026-04-22T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31437"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.