CVE-2026-31402: Critical Linux Kernel NFS Heap Overflow Affects All Major Distributions

CVE-2026-31402, a heap overflow vulnerability in the Linux kernel’s NFS client implementation, was publicly disclosed this week and has been rated critical with a CVSS score of 8.8. The Linux kernel NFS heap overflow affects all kernel versions from 5.15 through 6.8 that have the NFSv4 client enabled — a configuration that is default in virtually every major Linux distribution — and allows a malicious NFS server to trigger memory corruption on a connecting client, potentially leading to privilege escalation or remote code execution in the worst-case exploitation scenario. Patches are available in kernel version 6.9-rc4 and as backported fixes for the 5.15, 6.1, and 6.6 long-term stable branches.

The vulnerability was discovered by a security researcher at a Linux kernel security team who identified an integer overflow condition in the code path that handles NFSv4 server-to-client state delegation responses. Under specific conditions — a malicious or compromised NFS server sending a crafted delegation response with an oversized attribute list — the kernel allocates a heap buffer that is smaller than the data it subsequently writes into it, producing a classic heap buffer overflow. On modern kernels with kernel address space layout randomization and stack canaries enabled, reliable exploitation requires bypassing these mitigations, but the underlying memory corruption primitive is confirmed and exploitable given sufficient attacker-controlled input.

Understanding the CVE-2026-31402 Linux Kernel NFS Attack Surface

The CVE-2026-31402 Linux kernel NFS vulnerability is specifically in the NFSv4 client code — the kernel component that handles communication with NFS version 4 servers. NFS (Network File System) is the standard protocol for sharing file system directories over a network in Linux and Unix environments, and it is extraordinarily common in enterprise environments. Any Linux workstation, server, or container host that mounts a network file share using NFS version 4 — which has been the default since kernel 4.1 — has the vulnerable code path present and active.

The attack requires the client to connect to a malicious NFS server, which constrains the exploitation scenario compared to a vulnerability that can be triggered by unauthenticated remote packets. An attacker who wants to exploit this vulnerability needs to be in a position to serve NFS to the target — either by operating a legitimate NFS server that they have compromised, by conducting a man-in-the-middle attack on an existing NFS connection, or by getting the target to mount a share from an attacker-controlled server. All three scenarios are realistic in enterprise environments where NFS mounts are common and network traffic is not always encrypted or authenticated at the transport layer.

The man-in-the-middle scenario is particularly concerning in environments where NFS traffic flows over unencrypted network segments — which is the majority of enterprise NFS deployments, since NFS over TLS has only been standardized relatively recently and adoption has been slow. An attacker with access to the network segment carrying NFS traffic could inject a crafted delegation response into an existing NFSv4 session without needing to compromise the legitimate server, bringing the exploitation requirement closer to a network-adjacent unauthenticated attack than the CVE description’s “requires server compromise” framing might suggest.

Affected Kernel Versions and Patch Availability

The vulnerability was introduced in kernel version 5.15 with a refactoring of the NFSv4 state management code that changed how delegation response attributes are parsed and buffered. All kernel versions from 5.15 through 6.8 that include this code are affected. Kernel 6.9, currently in release candidate status, includes the fix in rc4 and later. The Linux kernel security team has also backported fixes to the three currently maintained long-term stable branches: 5.15.x, 6.1.x, and 6.6.x.

Major Linux distributions have been notified under the kernel security team’s coordinated disclosure process and are in various stages of releasing patched packages. Ubuntu has released updated kernels for its 22.04 LTS and 24.04 LTS releases. Red Hat Enterprise Linux and its derivatives (CentOS Stream, Rocky Linux, AlmaLinux) have released advisories and are publishing patched packages for RHEL 8 and RHEL 9. Debian has patched its stable and testing branches. SUSE Linux Enterprise Server patches are available through the SUSE update channels.

Container environments running Linux-based hosts are affected at the host kernel level. Docker containers and Kubernetes pods share the host kernel, which means the vulnerability exists in the host OS regardless of what is running inside the container. Organizations running containerized workloads on Linux hosts that use NFS for persistent storage — a common pattern for stateful Kubernetes deployments — should prioritize kernel updates on their node fleet. The container runtime itself is not the relevant layer for this vulnerability; the host kernel is.

Immediate Mitigation Options for CVE-2026-31402

For organizations that cannot immediately deploy kernel patches — a realistic situation for production systems that require maintenance windows and regression testing before kernel updates — several interim mitigations can reduce exposure while patches are being prepared.

The most direct mitigation is to disable NFSv4 client support on hosts that do not require it. If systems are not mounting NFS shares, or if they can be temporarily configured to use NFSv3 instead of NFSv4, the vulnerable code path is not triggered. NFSv3 has its own security limitations — it lacks the authentication and state management features of NFSv4 — but it does not contain this specific vulnerability. The mount option nfsvers=3 forces a client to negotiate NFSv3 with the server; this can be applied to fstab entries or systemd mount units without a kernel update.

Network-level controls can reduce the man-in-the-middle risk by ensuring NFS traffic only flows between known server and client IP pairs through firewall rules or network policies. In Kubernetes environments, NetworkPolicy objects can restrict which pods are allowed to communicate on NFS ports. These controls do not prevent exploitation by a compromised server but do reduce the network-adjacent attack surface by limiting which systems can send NFS responses to your clients.

Linux Security Module policies (SELinux, AppArmor) can constrain what a successful exploit can do post-compromise by limiting the capabilities available to the kernel code path that processes NFS responses. While MAC policy cannot prevent the memory corruption from occurring, it can limit the attacker’s ability to leverage that corruption into privilege escalation or persistent access in environments with well-configured SELinux or AppArmor profiles.

The Broader Linux Kernel Security Context

CVE-2026-31402 is the second critical Linux kernel vulnerability disclosed in the past 30 days, continuing a pattern of significant kernel security findings that reflects both the breadth of the kernel’s attack surface and the increasing sophistication of security research tools applied to kernel code. The Linux kernel is one of the most heavily audited codebases in open-source software, but its size — over 30 million lines of code — means that vulnerabilities in less-frequently-reviewed subsystems like NFS client state management can persist for extended periods before discovery.

CISA has been tracking Linux kernel vulnerabilities closely and adding confirmed exploited kernel CVEs to its Known Exploited Vulnerabilities catalog at an increasing rate. As covered in our report on the latest CISA KEV additions, the catalog has seen a consistent flow of kernel-level vulnerabilities from multiple subsystems. Organizations should be monitoring the CISA KEV catalog for CVE-2026-31402 updates if confirmed exploitation is detected before their patch cycle completes.

For security teams managing large Linux fleets, this vulnerability is also an opportunity to audit NFS usage across the environment. Many organizations have NFS mounts that were configured years ago and are no longer actively used — forgotten mount points that add attack surface without providing operational value. A survey of active NFS mounts, combined with the kernel patching effort, can reduce exposure both to this specific CVE and to future NFS-related vulnerabilities in the long term.

Related coverage: CISA Adds 8 Exploited CVEs to KEV Catalog — the vulnerability prioritization framework. CVE-2026-33626 SSRF in LMDeploy — another critical infrastructure CVE requiring immediate patching. Also: AI Vulnerability Reports Up 210% in 2026.