Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.18.17, < 6.18.21 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684Patch
- https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0abPatch
- https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8Patch
FAQ
What is CVE-2026-31437?
CVE-2026-31437 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, ...
How severe is CVE-2026-31437?
CVE-2026-31437 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31437?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.