MEDIUM 5.5

CVE-2026-46256 Linux NFS LOCALIO Recursion Deadlock Vulnerability

A recursion deadlock vulnerability exists in the Linux kernel's NFS LOCALIO feature, which optimizes loopback NFS mounts by bypassing the network when client and server run on the same system. Under memory pressure, the kernel's direct reclaim mechanism can trigger a circular chain: NFS writes → XFS filesystem → back into NFS page cache operations, causing the system to hang. The vulnerability requires local access and affects systems using LOCALIO-enabled NFS mounts. A fix ensures memory allocations in the LOCALIO code path use GFP_NOFS context to prevent this recursion.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-667
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ, WRITE and COMMIT if the NFS client and server are determined to be on the same system. But because LOCALIO is still fundamentally "just NFS loopback mount" it is susceptible to recursion deadlock via direct reclaim, e.g.: NFS LOCALIO down to XFS and then back into NFS via nfs_writepages. Fix LOCALIO's potential for direct reclaim deadlock by ensuring that all its page cache allocations are done from GFP_NOFS context. Thanks to Ben Coddington for pointing out commit ad22c7a043c2 ("xfs: prevent stack overflows from page cache allocation").

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46256 describes a potential deadlock in the Linux kernel's NFS LOCALIO implementation (CWE-667: improper locking). LOCALIO eliminates network overhead for NFS READ, WRITE, and COMMIT operations when both client and server reside on the same host. However, under direct memory reclaim pressure, the page cache allocation path can recursively re-enter NFS via nfs_writepages, creating a circular wait condition. The vulnerability arises because LOCALIO's memory allocation context was not restricted to prevent this recursion. The fix applies GFP_NOFS (No Filesystem) flags to relevant allocation sites, ensuring the reclaim path cannot trigger additional NFS I/O that would deadlock waiting on already-held locks.

Business impact

Systems relying on NFS LOCALIO for local storage optimization may experience kernel hangs under memory pressure, leading to service unavailability. This is particularly concerning in containerized or virtualized environments where loopback NFS is used for performance and the host experiences memory contention. Affected workloads would experience sudden, unresponsive systems requiring intervention. Organizations deploying LOCALIO should prioritize patching to maintain availability, especially in production environments with variable memory demand.

Affected systems

The Linux kernel with LOCALIO enabled. This feature is typically enabled in modern distributions (kernel 5.13+) but requires explicit NFS mount options (e.g., loopback) or kernel configuration to activate. Servers performing NFS operations locally are the primary targets. The vulnerability requires local process context to trigger direct reclaim, so remote attackers cannot exploit it directly.

Exploitability

Exploitation requires local access to trigger direct memory reclaim under the vulnerable kernel's LOCALIO code path. An unprivileged local user can indirectly trigger this via memory-intensive workloads that force reclaim, causing the kernel to hang. No network access, user interaction, or elevated privileges are strictly required, though the impact manifests as a denial of service affecting all users on the system. CVSS 5.5 (MEDIUM) reflects local attack vector, low complexity, and availability impact without confidentiality or integrity loss. This is not currently tracked in CISA's KEV catalog, indicating no evidence of active exploitation in the wild.

Remediation

Apply the kernel patch that restricts LOCALIO page cache allocations to GFP_NOFS context, preventing direct reclaim from re-entering NFS. This fix has been merged into upstream Linux kernel development. End users should update to a patched kernel version provided by their Linux distribution. Verify the exact patched version against your vendor's advisory, as release cadences vary.

Patch guidance

Consult your Linux distribution's security advisories for the patched kernel version (e.g., Red Hat, Canonical, SUSE). Most distributions will backport the fix into stable branches. On systems where kernel updates are constrained, consider disabling LOCALIO (if enabled explicitly in mount options) as a temporary mitigation. Typical patching involves kernel package updates followed by reboot; test in non-production environments first to ensure compatibility with local NFS configurations.

Detection guidance

Monitor for kernel warnings or oops messages referencing NFS, page cache reclaim, or locking timeouts in dmesg logs, particularly on systems using NFS mounts with loopback options. System responsiveness issues under memory pressure combined with NFS workloads may signal exposure. Review kernel version via 'uname -r' to determine if running an affected build; compare against vendor-provided patch release notes. Kernel tracing (e.g., ftrace) can capture the recursion pattern if needed for forensics.

Why prioritize this

While CVSS 5.5 places this in MEDIUM severity, organizations heavily dependent on NFS LOCALIO for local I/O optimization should prioritize patching to prevent availability disruptions. The attack surface is narrow (requires local access and memory contention) but the impact—kernel hang—is severe for availability. Patch as soon as your distribution provides a release, especially in production environments where memory usage is variable.

Risk score, explained

CVSS 3.1 score of 5.5 reflects: Attack Vector Local (not remotely exploitable), Attack Complexity Low (direct reclaim is a normal kernel function), Privileges Required (local user sufficient), no User Interaction, no Scope change, and high Availability impact (system hang). Confidentiality and Integrity are unaffected. The score appropriately reflects a local denial-of-service risk with moderate severity.

Frequently asked questions

Does this affect my system if NFS LOCALIO is not explicitly enabled?

Most modern Linux distributions ship with LOCALIO support compiled in but require explicit mount options (loopback) or kernel parameters to activate on per-mount basis. If your NFS mounts do not use these options, the vulnerable code path is not exercised. Verify by checking mount options (mount | grep nfs) or consulting your vendor documentation on LOCALIO defaults.

Can a remote attacker exploit this over the network?

No. The vulnerability requires local process context to trigger the direct reclaim path that causes recursion. Remote attackers cannot directly trigger memory pressure on the kernel's LOCALIO code. However, a local user—even unprivileged—can indirectly trigger it via resource-intensive workloads.

What is the difference between LOCALIO and standard NFS mounting?

LOCALIO is a performance optimization that detects when NFS client and server are on the same host and bypasses the network stack, using the filesystem directly instead. Standard NFS always goes through the network stack. LOCALIO trades network overhead for potential deadlock risk if not carefully implemented; this patch corrects that risk.

Is there a workaround if I cannot patch immediately?

If LOCALIO is explicitly enabled via mount options, disabling it (e.g., removing 'loopback' option and remounting without it) will use standard NFS and avoid the vulnerability. However, this incurs network overhead. For most environments, patching is preferred. Consult your vendor for interim guidance if patching timelines are constrained.

This analysis is provided for informational and educational purposes. The vulnerability details, CVSS score, and affected products are derived from official Linux kernel disclosures and vendor advisories current as of publication. Organizations should verify patched kernel versions and compatibility against their specific Linux distribution's security advisory. Consult official vendor documentation for definitive patch guidance and support. SEC.co does not warrant the completeness or accuracy of third-party vendor data and recommends cross-referencing with primary sources. This explainer is not a substitute for professional incident response or vendor support consultation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).