External risk intelligence

Linux kernel could allow external attacker to cause system outages

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31402

An external attacker can exploit a flaw in Linux kernel servers to cause complete system outages or gain full administrative control. This matters to the business because it can disrupt critical file-sharing services and expose sensitive files to unauthorized access.

1Halo Surface Signal

Out-of-bounds Write

Linux Kernel

2.6.12.1 to before 5.10.2535.11 to before 6.1.1676.2 to before 6.6.1306.7 to before 6.12.786.13 to before 6.18.206.19 to before 6.19.102.6.127.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-31402

The vulnerability affects the Linux kernel NFSv4.0 server. Network File System (NFS) is a file-sharing protocol designed for local network environments and is normally isolated or kept internal behind firewalls, with no typical public internet exposure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in the Linux kernel's NFSv4.0 server can allow attackers to corrupt memory by exploiting how it handles lock requests. This memory corruption could potentially lead to system instability or unauthorized access.

  • Remote exploitation possible.
  • Can impact system stability.
  • Requires specific client interaction.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by tricking two cooperating NFSv4.0 clients into triggering a heap overflow in the NFS server. One client would set a lock with a large owner string, then the second client would request a conflicting lock. This denial would cause the server to attempt to write an oversized response into a fixed-size buffer, corrupting adjacent heap memory and potentially leading to remote code execution.

  • Requires two clients.
  • Targets NFSv4.0 server.
  • Exploits LOCK operation denial.

Live Threat

Current exploitation, exposure, and threat context

This NFSv4.0 heap overflow can be triggered remotely by unauthenticated attackers using two cooperating clients. The vulnerability lies in the replay cache's fixed-size buffer being insufficient for certain LOCK denied responses, allowing up to 944 bytes of heap corruption.

  • Exploitation requires two clients.
  • No public exploit available.
  • Fixes merged and backported.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize monitoring NFSv4.0 traffic for unusual LOCK operations and investigate systems running affected Linux kernel versions. If exploitation is detected or suspected, isolate affected NFS services immediately.

  • Apply Linux kernel patch.
  • Restrict NFSv4.0 network access.
  • Monitor NFS logs for errors.

Frequently asked questions

What is the Linux kernel and what is NFSv4.0 used for?

The Linux kernel is the core of the Linux operating system, managing hardware and software resources. NFSv4.0 (Network File System version 4.0) is a protocol that allows computers on a network to share files and directories as if they were local, commonly used in local area networks for file sharing.

What kind of vulnerability is CVE-2026-31402 in the Linux kernel?

CVE-2026-31402 is a heap overflow vulnerability, a type of weakness where a program writes data beyond the allocated buffer in memory. This occurs in the NFSv4.0 replay cache when handling LOCK denied responses with large owner strings, leading to heap memory corruption.

How can an attacker trigger the Linux kernel vulnerability?

An attacker needs two cooperating NFSv4.0 clients. One client establishes a lock with a lengthy owner name, and then the second client attempts to acquire a conflicting lock. This scenario causes the NFS server to generate a denial response that is too large for its internal buffer, triggering the overflow.

Who should be concerned about this Linux kernel vulnerability?

Organizations that utilize the Linux kernel for their NFSv4.0 servers should be concerned. While NFS is typically internal, the Halo Surface Signal indicates this vulnerability is classified as external, meaning it has the potential for network-based exploitation.

What is the first step to address this Linux kernel vulnerability?

The immediate first step for anyone running affected Linux kernel versions is to apply the relevant security patches provided by the Linux distribution or kernel maintainers. Reviewing NFSv4.0 configurations to ensure network access is appropriately restricted is also a prudent measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified