CVE-2026-31402 Linux CVE debrief

Who should care

Linux administrators, distro maintainers, and platform teams running NFS servers with NFSv4.0 enabled, especially systems exposed to untrusted networks. Security teams should also care if kernel-based file services are part of production storage, virtualization, or appliance deployments.

Technical summary

The CVE description says the NFSv4.0 replay cache uses a fixed 112-byte inline buffer for encoded operation responses, but LOCK denied responses may embed a conflicting lock owner string up to the NFS opaque limit. In nfsd4_encode_operation(), the encoded response is copied into the replay buffer without a bounds check, and read_bytes_from_xdr_buf() can write past the end of the slab buffer. The reported impact is a slab-out-of-bounds write of up to 944 bytes, caused by remote unauthenticated requests using two cooperating NFSv4.0 clients. The fix described in the record is to check the encoded response length before copying and skip caching oversized replay payloads while still caching the status.

Defensive priority

Urgent. The attack surface is network-reachable, unauthenticated, and memory-corrupting in a privileged kernel service. NVD rates the issue CVSS 9.8/Critical with high confidentiality, integrity, and availability impact.

Recommended defensive actions

• Apply the kernel patches referenced in the advisory record and vendor backports as soon as they are available.
• Verify whether your running kernel falls within the affected ranges listed by NVD, including the version bands ending before 5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10.
• Prioritize externally reachable NFS servers and storage appliances first.
• If immediate patching is not possible, reduce exposure by restricting NFS server access to trusted networks and reviewing whether NFSv4.0 must remain enabled.
• Monitor affected hosts for kernel crashes, oopses, or unexpected nfsd instability after exposure.
• After patching, confirm the running kernel build includes the relevant stable fixes and reboot into the updated kernel.

Evidence notes

All claims above are grounded in the supplied NVD record and the CVE description. The record identifies the weakness as CWE-787 and classifies the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The description states the issue is in nfsd’s NFSv4.0 LOCK replay cache, that oversized conflicting lock-owner data can overflow the fixed replay buffer, and that the intended fix is to reject oversized payloads rather than enlarge the buffer. The NVD record also lists the vulnerability as analyzed and provides affected-version criteria and stable kernel patch references.

Official resources