CVE-2026-31403
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel NFS Proc Interface

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31403
EUVD
EUVD-2026-18788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's NFS server (NFSD) related to the handling of the /proc/fs/nfs/exports proc entry. When this proc entry is opened, it captures the caller's current network namespace but does not hold a reference to it. If the network namespace is destroyed (for example, when a container is destroyed after the opener switches namespaces), the kernel frees the associated cache. However, if the file descriptor remains open, subsequent reads dereference freed memory, leading to use-after-free issues.

The fix involves holding a reference to the network namespace for the lifetime of the open file descriptor, preventing the namespace from being torn down and the cache from being freed while the file descriptor is still open.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. This can compromise the security and reliability of systems running the affected Linux kernel, especially those using NFS services in containerized environments.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by holding a reference on the struct net for the lifetime of the open file descriptor to prevent the cache from being freed while any exports file descriptor is open.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart