CVE-2026-31577 Overview
CVE-2026-31577 is a NULL pointer dereference vulnerability in the Linux kernel's nilfs2 filesystem. The flaw resides in nilfs_mdt_save_to_shadow_map(), which assumes the Disk Address Translation (DAT) inode's btree node cache (i_assoc_inode) is initialized before use. Because i_assoc_inode is initialized lazily during btree operations, invoking the NILFS_IOCTL_CLEAN_SEGMENTS ioctl immediately after mount triggers a general protection fault during garbage collection (GC). A local user with permission to issue the GC ioctl can crash the kernel, producing a denial-of-service condition on the affected host.
Critical Impact
A local attacker can trigger a kernel general protection fault through the nilfs2 GC ioctl path, causing a system crash and denial of service.
Affected Products
- Linux Kernel (multiple stable branches; see referenced commits)
- Systems mounting nilfs2 filesystems
- Distributions shipping unpatched kernels with nilfs2 enabled
Discovery Timeline
- 2026-04-24 - CVE-2026-31577 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31577
Vulnerability Analysis
The nilfs2 filesystem maintains metadata files, including the DAT inode used for block address translation. The DAT inode owns a btree node cache referenced through i_assoc_inode. This cache is created lazily by nilfs_attach_btree_node_cache() on the first btree operation rather than at mount time.
During garbage collection, nilfs_mdt_save_to_shadow_map() copies dirty pages from metadata inodes into a shadow map. The function dereferences i_assoc_inode without checking whether the cache has been attached. When GC executes before any btree operation has touched the DAT inode, i_assoc_inode is still NULL.
The defect is classified as [CWE-476] NULL Pointer Dereference. The bug is reachable from user space through the NILFS_IOCTL_CLEAN_SEGMENTS ioctl, which drives the cleaner's segment reclamation logic.
Root Cause
The root cause is an ordering assumption mismatch. nilfs_mdt_save_to_shadow_map() assumes i_assoc_inode is non-NULL, while nilfs_dat_read() (called at mount) never forces initialization. If a user invokes the GC ioctl before any read or write touches the DAT btree, the kernel dereferences a NULL pointer and faults.
The upstream fix calls nilfs_attach_btree_node_cache() on the DAT inode inside nilfs_dat_read(), guaranteeing i_assoc_inode is initialized before any GC operation can run.
Attack Vector
Exploitation requires local access and the ability to mount a nilfs2 filesystem and issue ioctls against it. An attacker mounts a nilfs2 volume, then issues NILFS_IOCTL_CLEAN_SEGMENTS against the mount before any btree operation has executed. The kernel enters nilfs_mdt_save_to_shadow_map(), dereferences NULL, and triggers a general protection fault. No code execution or information disclosure has been demonstrated; the impact is limited to availability.
The vulnerability manifests in the nilfs_mdt_save_to_shadow_map() function in fs/nilfs2/mdt.c. See the linked kernel.org commits for the patch diff and call-site details.
Detection Methods for CVE-2026-31577
Indicators of Compromise
- Kernel oops or general protection fault messages referencing nilfs_mdt_save_to_shadow_map in dmesg or /var/log/kern.log
- Unexpected system crashes correlated with nilfs-clean or other userland callers of NILFS_IOCTL_CLEAN_SEGMENTS
- Mount events for nilfs2 filesystems followed promptly by GC ioctl activity from unprivileged users
Detection Strategies
- Monitor kernel ring buffer output for stack traces containing nilfs_mdt_save_to_shadow_map and nilfs_clean_segments
- Audit mount syscalls for nilfs2 filesystem type, particularly on hosts where this filesystem is not expected
- Track ioctl invocations via auditd rules targeting the nilfs2 cleaner interface to identify abnormal callers
Monitoring Recommendations
- Forward kernel logs to a centralized log pipeline and alert on general protection fault signatures referencing nilfs2 symbols
- Inventory hosts with the nilfs2 kernel module loaded using lsmod and prioritize patching
- Establish baselines for legitimate nilfs2 usage so anomalous mount and ioctl sequences stand out
How to Mitigate CVE-2026-31577
Immediate Actions Required
- Apply the Linux kernel update containing the upstream fix that calls nilfs_attach_btree_node_cache() from nilfs_dat_read()
- Where patching is delayed, unload or blacklist the nilfs2 kernel module on systems that do not require it
- Restrict mount permissions for nilfs2 volumes to trusted administrative users only
Patch Information
The fix is committed across multiple stable kernel branches. Reference the upstream commits for the exact patch content: Linux kernel commit 41de342278ae, commit 449ec5fc99f4, commit 4a4e0328edd9, commit 7318e3549518, commit 97fb7afec404, and commit c36e206f302f. Update to a kernel version that includes the corresponding backport from your distribution vendor.
Workarounds
- Blacklist the nilfs2 module via /etc/modprobe.d/ to prevent loading on systems that do not require the filesystem
- Remove or restrict access to nilfs2 userland tools (nilfs-clean, nilfs-utils) so unprivileged users cannot trigger the GC ioctl
- Disable user-mounted removable media handlers for nilfs2 filesystem types until the patched kernel is deployed
# Configuration example: blacklist the nilfs2 module
echo 'blacklist nilfs2' | sudo tee /etc/modprobe.d/blacklist-nilfs2.conf
sudo depmod -a
sudo update-initramfs -u
# Verify the module is not loaded
lsmod | grep nilfs2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
