Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Heap overflow in Linux kernel nfsd NFSv4.0 LOCK replay cache

IdentifiersCVE-2026-31402CWE-122

CVE-2026-31402 is a heap-based buffer overflow in the Linux kernel NFS server (nfsd), specifically in the NFSv4.0 LOCK replay cache. The replay cache stores encoded operation responses in a fixed 112-byte inline buffer, rp_ibuf[NFSD4_REPLAY_ISIZE], whose size was derived from OPEN responses. However, denied LOCK responses can include a conflicting lock owner field with variable length up to NFS4_OPAQUE_LIMIT (1024 bytes). When a LOCK request is denied because of a conflicting existing lock with a large owner string, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() without adequate bounds checking. This can produce a slab out-of-bounds write of up to 944 bytes past the end of the heap buffer, corrupting adjacent kernel heap memory.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to trigger kernel heap memory corruption in nfsd. The documented consequence is a slab out-of-bounds write of up to 944 bytes, which can destabilize the kernel and cause denial of service, and may also enable more serious impacts depending on heap layout and exploitability, including potential compromise of confidentiality, integrity, and availability. Supporting content also notes CVSS assessments as high as 9.8, reflecting the severity of the memory corruption condition.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting NFS server access, especially NFSv4.0, to trusted clients only; limit network reachability to nfsd using firewalling or segmentation; and avoid exposing the NFS service to untrusted networks. Because the issue is remotely reachable and does not require authentication, mitigation is primarily exposure reduction until patched kernels can be deployed.

Remediation

Patch, then assume compromise.

Upgrade to a Linux kernel release containing the fix for CVE-2026-31402. The fix validates the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay cache buffer. If the encoded LOCK denial response is too large, the kernel sets rp_buflen to 0 and skips caching the replay payload while still caching the operation status, preserving correct client behavior without overflowing the inline buffer. Vendor kernel updates from distributions such as SUSE should be applied, followed by a reboot where required.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system
Rocky LinuxKerneloperating_system
Rocky LinuxKernel-Rtoperating_system
Rocky LinuxRocky Linuxoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

16 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31402
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31402
MITRE CWE · CWE-122
cwe.mitre.org
Patch
git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388
Patch
git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2
Patch
git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965
Patch
git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76
Patch
git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff
Patch
git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0
Patch
git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c