{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30656", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T17:33:52.962Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:37:47.032Z"}, "descriptions": [{"lang": "en", "value": "A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/axboe/fio/issues/2055"}, {"url": "https://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "CWE-476 NULL Pointer Dereference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T17:33:28.747883Z", "id": "CVE-2026-30656", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T17:33:52.962Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30656", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T17:33:28.747883Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T17:33:49.185Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/axboe/fio/issues/2055"}, {"url": "https://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e"}], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:37:47.032Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30656", "state": "PUBLISHED", "dateUpdated": "2026-04-16T17:33:52.962Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash."}], "id": "CVE-2026-30656", "lastModified": "2026-04-16T18:16:45.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T15:17:17.873", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e"}, {"source": "cve@mitre.org", "url": "https://github.com/axboe/fio/issues/2055"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "fio: fio: Denial of Service via NULL pointer dereference when parsing job files", "id": "2458951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458951"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in fio (Flexible I/O Tester). A local user could exploit this vulnerability by providing a specially crafted job file that includes the fdp_pli option without an argument. This leads to a NULL pointer dereference, which occurs when the program attempts to access a memory location that has not been assigned, resulting in a segmentation fault and a Denial of Service (DoS) due to a process crash."], "name": "CVE-2026-30656", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "fio", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "fio", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "fio", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "fio", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30656\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30656\nhttps://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e\nhttps://github.com/axboe/fio/issues/2055"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.41"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fio", "vendor": "axboe"}], "analysis": {"en": {"generated_at": "2026-04-17T06:24:33.799921+00:00", "value": {"mitigation_remediation": ["Upgrade fio to a version that resolves the null pointer dereference in the fdp_pli option; the fix is available in releases newer than 3.41.", "If an upgrade is not currently available, remove the fdp_pli option from job files or supply a valid argument for the option to prevent the internal call to strdup from operating on a NULL pointer.", "Configure monitoring or watchdog scripts to detect fio crashes promptly and automatically restart the process to maintain testing continuity."], "summary": {"action": "Update immediately", "impact": "Process crash via NULL pointer dereference leading to local denial of service"}, "threat_synthesis": {"affected_systems": "The affected product is fio Flexible I/O Tester v3.41 as disclosed. No other versions are listed in the advisory, so the impact is limited to installations of this exact version unless the same code path remains unchanged in later releases.", "description_and_impact": "fio (Flexible I/O Tester) version 3.41 has a flaw in the job file parser where the fdp_pli option is invoked without an argument. The callback function for this option performs a string duplication on a NULL value, resulting in a segmentation fault that terminates the process. This vulnerability allows an attacker who can supply a malformed job file to force fio to crash, disrupting any instance where it is being used for benchmarking or testing. The weakness is a classic null pointer dereference, a type of bug that typically leads to denial of service rather than code execution.", "risk_and_exploitability": "No EPSS score and no CISA KEV listing are available, implying that no public exploitation has been observed or catalogued. The likely attack vector is manual or automated input of a job file that contains the fdp_pli option without an argument; an attacker with the ability to influence job inputs can trigger the crash. Because the vulnerability causes a segmentation fault, exploitation is limited to denial of service. However, in environments where fio is run with elevated privileges or where a crash could lead to broader system instability, the risk is elevated. With a CVSS score of 7.5, the vulnerability is considered high severity and warrants immediate patching, yet it remains a local vulnerability requiring privileged or local access to craft the malicious job file."}}}}, "created": "2026-04-16T16:30:15.836613+00:00", "updated": "2026-04-17T06:30:11.606764+00:00", "vendors": ["axboe", "axboe$PRODUCT$fio"]}