HIGH
netfs ReadRetry UAF
CVE-2026-31435
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes). Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set). Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the netfs read retry logic can be triggered by any user performing filesystem operations on netfs-based filesystems (9p, AFS, Ceph, NFS with fscache, SMB/CIFS). The vulnerability occurs when read operations fail and require retry, potentially leading to kernel memory corruption, information disclosure, or system crashes.
Vulnerability analysis
The vulnerability stems from improper pointer management in the netfs read retry abandonment process. The 'subreq' variable can be uninitialized on first loop iteration or point to a deleted subrequest on subsequent passes. When jumping to the 'abandon:' label, this invalid pointer is used to start the abandonment process, causing use-after-free access. The fix ensures the pointer is properly initialized before abandonment and cleared after cleanup to prevent accidental reuse. Attack surface includes any system using netfs-based filesystems where users can trigger read operations that fail and require retry.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | 3e5fd8f53b57 |
| 6.19 | 6.19.11 | 8f2f2bd128a8 |
| mainline | 7.0 | 7e57523490cd |