{"id":"CVE-2026-43470","summary":"nfs: return EISDIR on nfs3_proc_create if d_alias is a dir","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don't return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don't attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops.","modified":"2026-07-11T03:53:33.951946570Z","published":"2026-05-08T14:22:30.218Z","related":["SUSE-SU-2026:22108-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43470.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43470.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43470"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7c6c5249f061b64fc6b5b90bc147169a048691bf"},{"fixed":"7e2963773760a664684435201960dd2fb712f1b5"},{"fixed":"203c792cb4315360d49973ae2e57feeb6d3dcf7e"},{"fixed":"9ee1770fcb2f1b48354622b926e7dc10222805f5"},{"fixed":"410666a298c34ebd57256fde6b24c96bd23059a2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43470.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.10.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43470.json"}}],"schema_version":"1.7.5"}