CVE-2026-31437

Published: Apr 22, 2026

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.

Vendor	Product	Versions
Linux	Linux	affected `72d08d2839649d1c5efbe375751f4473fa4486af - < a4d1b4ba9754bac3efebd06f583a44a7af52c0ab` affected `0c29f6d63122a0168d67cb8ecde5b4cf7fe4acb0 - < 7a5482f5ce891decbf36f2e6fab1e9fc4a76a684` affected `a0b4c7a49137ed21279f354eb59f49ddae8dffc2 - < e9075e420a1eb3b52c60f3b95893a55e77419ce8`
Linux	Linux	affected `6.18.17 - < 6.18.21` affected `6.19.7 - < 6.19.11`

References

https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab

https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684

https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31437

Description

Affected Products

References