Linux Kernel NFSv4 Replay Cache Heap OOB
CVE-2026-31402 Published on April 3, 2026

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.

NVD

Vulnerability Analysis

CVE-2026-31402 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2026-31402 has been classified to as a Memory Corruption vulnerability or weakness.

Products Associated with CVE-2026-31402

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-31402 are published in these products:

Linux Kernel

Red Hat Rhel Els

Red Hat Rhel Extras Rt Els

Red Hat Enterprise Linux Eus

Red Hat Enterprise Linux (RHEL)

Red Hat Rhel E4s

Red Hat Rhel Eus

Red Hat Rhel Aus

Red Hat Rhel Eus Long Life

Red Hat Rhel Tus

Affected Versions

Linux:

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below f9fcb4441f6c02bb20c2eb340101e27dfe23607c is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 2665887a69437a8a4f552f69509eecfb73d4aa19 is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below c9452c0797c95cf2378170df96cf4f4b3bca7eff is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 0f0e2a54a31a7f9ad2915db99156114872317388 is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below ae8498337dfdfda71bdd0b807c9a23a126011d76 is affected.
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 5133b61aaf437e5f25b1b396b14242a6bb0508e2 is affected.

Linux:

Version 2.6.12 is affected.
Before 2.6.12 is unaffected.
Version 5.10.253, <= 5.10.* is unaffected.
Version 5.15.210, <= 5.15.* is unaffected.
Version 6.1.167, <= 6.1.* is unaffected.
Version 6.6.130, <= 6.6.* is unaffected.
Version 6.12.78, <= 6.12.* is unaffected.
Version 6.18.20, <= 6.18.* is unaffected.
Version 6.19.10, <= 6.19.* is unaffected.
Version 7.0, <= * is unaffected.

Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION): Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION): Red Hat Enterprise Linux Server (v. 7 ELS): Red Hat Enterprise Linux for Real Time (v. 7 ELS): Red Hat Enterprise Linux Server Optional (v. 7 ELS): Red Hat Enterprise Linux AppStream EUS (v. 10.0): Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream E4S (v.9.0): Red Hat Enterprise Linux AppStream E4S (v.9.2): Red Hat Enterprise Linux AppStream EUS (v.9.4): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Enterprise Linux BaseOS EUS (v. 10.0): Red Hat Enterprise Linux BaseOS (v. 10): Red Hat Enterprise Linux BaseOS (v. 8): Red Hat Enterprise Linux BaseOS AUS (v.8.4): Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4): Red Hat Enterprise Linux BaseOS AUS (v.8.6): Red Hat Enterprise Linux BaseOS E4S (v.8.6): Red Hat Enterprise Linux BaseOS TUS (v.8.6): Red Hat Enterprise Linux BaseOS E4S (v.8.8): Red Hat Enterprise Linux BaseOS TUS (v.8.8): Red Hat Enterprise Linux BaseOS E4S (v.9.0): Red Hat Enterprise Linux BaseOS E4S (v.9.2): Red Hat Enterprise Linux BaseOS EUS (v.9.4): Red Hat Enterprise Linux BaseOS EUS (v.9.6): Red Hat Enterprise Linux BaseOS (v. 9): Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0): Red Hat Enterprise Linux CodeReady Linux Builder (v. 10): Red Hat Enterprise Linux CRB (v. 8): Red Hat CodeReady Linux Builder EUS (v.9.4): Red Hat CodeReady Linux Builder EUS (v.9.6): Red Hat Enterprise Linux CodeReady Linux Builder (v. 9): Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0): Red Hat Enterprise Linux Real Time for NFV (v. 10): Red Hat Enterprise Linux NFV (v. 8): Red Hat Enterprise Linux NFV E4S (v.9.0): Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2): Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4): Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6): Red Hat Enterprise Linux Real Time for NFV (v. 9): Red Hat Enterprise Linux Real Time EUS (v. 10.0): Red Hat Enterprise Linux Real Time (v. 10): Red Hat Enterprise Linux RT (v. 8): Red Hat Enterprise Linux Real Time E4S (v.9.0): Red Hat Enterprise Linux Real Time E4S (v.9.2): Red Hat Enterprise Linux Real Time EUS (v.9.4): Red Hat Enterprise Linux Real Time EUS (v.9.6): Red Hat Enterprise Linux Real Time (v. 9): Red Hat Enterprise Linux 9:

Exploit Probability

EPSS

0.63%

Percentile

45.37%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Linux Kernel NFSv4 Replay Cache Heap OOBCVE-2026-31402 Published on April 3, 2026

Vulnerability Analysis

Weakness Type

What is a Memory Corruption Vulnerability?

Products Associated with CVE-2026-31402

Affected Versions

Exploit Probability

Linux Kernel NFSv4 Replay Cache Heap OOB
CVE-2026-31402 Published on April 3, 2026