{ "threat_severity" : "Moderate", "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: netfs: Fix read abandonment during retry", "id" : "2460660", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460660" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-824", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfs: Fix read abandonment during retry\nUnder certain circumstances, all the remaining subrequests from a read\nrequest will get abandoned during retry. The abandonment process expects\nthe 'subreq' variable to be set to the place to start abandonment from, but\nit doesn't always have a useful value (it will be uninitialised on the\nfirst pass through the loop and it may point to a deleted subrequest on\nlater passes).\nFix the first jump to \"abandon:\" to set subreq to the start of the first\nsubrequest expected to need retry (which, in this abandonment case, turned\nout unexpectedly to no longer have NEED_RETRY set).\nAlso clear the subreq pointer after discarding superfluous retryable\nsubrequests to cause an oops if we do try to access it.", "A flaw was found in the Linux kernel's netfs component. Under certain circumstances, during a read retry operation, the system may incorrectly abandon subrequests. This issue arises because a pointer (`subreq`) used in the abandonment process can be uninitialized or point to invalid memory. An attacker could potentially exploit this to trigger a kernel oops, leading to a system crash and a Denial of Service (DoS)." ], "statement" : "Red Hat acknowledges this defect in the upstream Linux kernel netfs read-retry path. The bug can leave `subreq` in an invalid state during abandonment, which may crash the kernel under specific I/O timing. Customers should consume corrected kernel builds through the usual errata when available. Exploitation requires driving the affected read path; there is no practical module unload workaround for generic netfs.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31435\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31435\nhttps://lore.kernel.org/linux-cve-announce/2026042242-CVE-2026-31435-f0f5@gregkh/T" ], "name" : "CVE-2026-31435", "csaw" : false }