CVEFinder.io

CVE-2026-31437

🔶 medium
🔍 Scan for this CVE
Summary

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for r

Description

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

CVSS Score
5.5
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-22
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 32.6% of all 326,604 vulnerabilities in our database.

#220,252
Below average severity
Severity Percentile
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-476

📦 Affected Products 2

Vendor Product Status Affected Versions
linux linux_kernel Affected
> 6.18.17 < 6.18.21
linux linux_kernel Affected
> 6.19.7 < 6.19.11

🔗 References 3

https://git.kernel.org/stable/c/7a5482f5ce891decbf36...
Patch
https://git.kernel.org/stable/c/a4d1b4ba9754bac3efeb...
Patch
https://git.kernel.org/stable/c/e9075e420a1eb3b52c60...
Patch

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-71313 🔶 medium 5.5 0.0 In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_wor... 2026-06-03
CVE-2025-71314 🔶 medium 5.5 0.0 In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches(... 2026-06-03
CVE-2026-46244 ⛔ critical 9.1 0.0 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync ... 2026-06-03
CVE-2026-46245 🔶 medium 5.5 0.0 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD i... 2026-06-03
CVE-2026-46246 ⚠️ high 7.8 0.0 In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free for e... 2026-06-03
CVE-2026-46247 🔶 medium 5.5 0.0 In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gfx3d: add parent to parent request map ... 2026-06-03
These CVEs affect the same products