CVE-2026-46256 Overview
CVE-2026-46256 is a Linux kernel vulnerability in the NFS LOCALIO subsystem. LOCALIO is an NFS loopback mount optimization that bypasses the network stack for READ, WRITE, and COMMIT operations when the NFS client and server reside on the same system. The flaw allows direct reclaim recursion back into NFS through nfs_writepages, which can produce a recursion deadlock. The issue arises because LOCALIO remains fundamentally an NFS loopback mount and inherits its memory reclaim hazards. A typical recursion path traverses NFS LOCALIO down to XFS and then back into NFS through nfs_writepages.
Critical Impact
A memory pressure event on systems using NFS LOCALIO can trigger a recursive direct reclaim path that deadlocks kernel I/O threads and stalls filesystem operations.
Affected Products
- Linux kernel versions containing the NFS LOCALIO loopback optimization
- Systems where the NFS client and NFS server are co-located on the same host
- Workloads that stack NFS LOCALIO over XFS or similar local filesystems
Discovery Timeline
- 2026-06-03 - CVE-2026-46256 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46256
Vulnerability Analysis
The vulnerability is a kernel-level deadlock condition triggered by direct memory reclaim recursing back into NFS. LOCALIO short-circuits the network path for co-located NFS client and server, but its page cache allocations were performed in a context that permitted filesystem reentry. When the kernel enters direct reclaim during a page cache allocation, the reclaim path can call into nfs_writepages to flush dirty NFS pages. Because LOCALIO routes that write through the local backing filesystem (for example, XFS), and that filesystem may itself trigger further allocations, the call chain can loop back into NFS.
The maintainers reference an analogous XFS fix in commit ad22c7a043c2 ("xfs: prevent stack overflows from page cache allocation"), which addressed the same class of stack and reclaim recursion problem. The Linux NFS maintainers resolved the LOCALIO variant by ensuring all LOCALIO page cache allocations occur under GFP_NOFS context, which prevents the allocator from reentering filesystem code paths during reclaim.
Root Cause
The root cause is the use of an allocation context that permits filesystem reentry (GFP flags without __GFP_FS masked off) within LOCALIO page cache paths. When memory pressure invokes direct reclaim on those allocations, the reclaim machinery may dispatch writeback through nfs_writepages, which in the LOCALIO topology calls back into local filesystem code and ultimately into NFS again. This is a recursion and resource-exhaustion defect rather than a memory-safety bug.
Attack Vector
Exploitation is not a typical remote attack vector. The condition is triggered by legitimate workload behavior on hosts that mount NFS exports served by the same kernel via LOCALIO. A local user or workload that generates sufficient dirty page pressure on the NFS LOCALIO mount can induce the recursive reclaim path. The result is a denial-of-service condition affecting I/O throughput and potentially the broader system.
No verified proof-of-concept code is published. Technical details are available in the upstream Linux kernel commits referenced in the kernel.org commit 67435d2d8a33, kernel.org commit 6a5de0c4fc0f, and kernel.org commit ae26a4cf2baf.
Detection Methods for CVE-2026-46256
Indicators of Compromise
- Kernel hung task warnings referencing nfs_writepages in the call stack
- Soft lockup or stalled task reports involving NFS LOCALIO mounts under memory pressure
- Sustained high kswapd activity coinciding with NFS write stalls on co-located client/server hosts
Detection Strategies
- Inventory hosts running co-located NFS client and server with LOCALIO enabled and correlate kernel versions against patched stable releases
- Parse dmesg and journalctl -k output for hung task traces that include NFS writeback and direct reclaim frames
- Monitor /proc/pressure/memory and /proc/pressure/io for sustained stall ratios on affected hosts
Monitoring Recommendations
- Forward kernel logs to a centralized analytics platform and alert on INFO: task ... blocked events that involve NFS writeback symbols
- Track NFS server-side I/O latency on hosts with LOCALIO enabled and alert on sudden drops in throughput
- Maintain version inventory of Linux kernels across the fleet to flag unpatched hosts running NFS LOCALIO
How to Mitigate CVE-2026-46256
Immediate Actions Required
- Identify all systems running NFS LOCALIO with the NFS client and server on the same host
- Apply the upstream kernel fixes that enforce GFP_NOFS allocation context in NFS LOCALIO page cache paths
- Reboot affected systems after kernel package updates to ensure the patched kernel is active
Patch Information
The fix forces all LOCALIO page cache allocations to use GFP_NOFS, preventing direct reclaim from recursing into filesystem code. The patches are merged upstream and backported to stable kernel branches. Refer to the kernel.org commit 67435d2d8a33, kernel.org commit 6a5de0c4fc0f, and kernel.org commit ae26a4cf2baf for the specific changes. Apply the corresponding distribution kernel updates as they become available.
Workarounds
- Disable the NFS LOCALIO optimization on affected hosts until patched kernels are deployed
- Separate the NFS client and server onto distinct hosts to eliminate the loopback path that LOCALIO optimizes
- Reduce memory pressure on co-located NFS hosts by tuning vm.dirty_ratio and vm.dirty_background_ratio to flush dirty pages earlier
# Reduce dirty page accumulation to lower the probability of direct reclaim under load
sysctl -w vm.dirty_background_ratio=5
sysctl -w vm.dirty_ratio=10
# Verify running kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
