CVE-2026-31404
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel NFSD Export Cleanup

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <[email protected]>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31404
EUVD
EUVD-2026-18790
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel nfsd *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by deferring the cleanup of sub-objects in export put callbacks to after the RCU grace period, preventing use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix described, which replaces call_rcu/kfree_rcu with queue_rcu_work() to defer callbacks safely.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's NFS daemon (NFSD) related to how sub-objects are cleaned up during export put callbacks. Specifically, functions like svc_export_put() prematurely call path_put() and auth_domain_put() to release resources before the Read-Copy-Update (RCU) grace period ends. Meanwhile, RCU readers access these resources without holding proper references, which can lead to the sub-objects being freed while still in use. This causes a NULL pointer dereference in the d_path function.

The fix involves deferring the cleanup of these sub-objects until after the RCU grace period by replacing call_rcu/kfree_rcu with queue_rcu_work(), which executes the cleanup in process context where sleeping is allowed. This ensures that path_put() and auth_domain_put() are called safely after the grace period, preventing use-after-free errors.


How can this vulnerability impact me? :

This vulnerability can cause a NULL pointer dereference in the Linux kernel's NFS daemon, which may lead to system instability or crashes when the affected code path is executed. Such crashes could result in denial of service conditions for systems relying on NFS exports, potentially disrupting access to shared files and services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided CVE description does not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart