2460733 – (CVE-2026-31438) CVE-2026-31438 kernel: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

Bug 2460733 (CVE-2026-31438) - CVE-2026-31438 kernel: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

Summary: CVE-2026-31438 kernel: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_K...

Keywords:
Status:	NEW
Alias:	CVE-2026-31438
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:08 UTC by OSIDB Bzimport
Modified:	2026-04-24 16:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:08:05 UTC

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.

Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.

Comment 1 Keith Grant 2026-04-22 17:00:53 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042243-CVE-2026-31438-66c2@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.