CVE-2026-31435
Published: 22 April 2026
Summary
CVE-2026-31435 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31435 is a vulnerability in the Linux kernel's netfs subsystem, specifically affecting read request retry handling. During retries, all remaining subrequests from a read can be improperly abandoned because the 'subreq' variable is either uninitialized on the first loop pass or points to a deleted subrequest on subsequent passes. This leads to incorrect abandonment starting points, as the process expects a valid 'subreq' to identify where to begin.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by unauthenticated attackers requiring low attack complexity and user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability of the affected system.
Patches addressing this issue are available in the Linux kernel stable tree via the following commits: https://git.kernel.org/stable/c/3e5fd8f53b575ff2188f82071da19c977ca56c41, https://git.kernel.org/stable/c/7e57523490cd2efb52b1ea97f2e0a74c0fb634cd, and https://git.kernel.org/stable/c/8f2f2bd128a8d9edbc1e785760da54ada3df69b7. These fixes properly set 'subreq' to the first retry-needing subrequest before abandonment and clear the pointer afterward to prevent invalid access.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24758
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to…
more
be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes). Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set). Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel memory corruption (invalid subreq pointer during netfs read retries) enables remote client-side code execution via crafted network FS traffic (T1203) and subsequent kernel-level privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the Linux kernel netfs flaw through application of stable tree patches to prevent improper subrequest abandonment during read retries.
Vulnerability scanning and monitoring identifies systems running vulnerable Linux kernel versions affected by the netfs read retry abandonment issue.
Ensures awareness and dissemination of security advisories for Linux kernel patches addressing the netfs subrequest handling flaw.