Description
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.

Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.
Published: 2026-04-03
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Use‑After‑Free memory corruption in the NFS daemon
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s NFS server opens the /proc/fs/nfs/exports entry and stores the current network namespace in a private field without taking a reference on the namespace itself. If the namespace is later destroyed—such as when a container exits after the opener has changed to another namespace—the NFS daemon frees the export cache. Read operations that continue on the still‑open file descriptor then dereference freed memory, causing a use‑after‑free condition that can corrupt kernel memory and produce a crash or, if an attacker can influence the freed region, arbitrary code execution. This flaw directly leads to memory corruption and a denial‑of‑service for the host.

Affected Systems

All Linux kernel releases that include the NFS server module before the patch is applied are vulnerable. The fault originates in the mainline kernel source, so any distribution packaging a kernel that has not integrated the fix will be affected. No explicit version list was provided; thus any build of the kernel containing the unpatched NFS code is considered at risk.

Risk and Exploitability

Exploitation requires that an attacker can open /proc/fs/nfs/exports and subsequently cause the associated network namespace to be released while the file descriptor remains open. The attack vector is therefore limited to a local or compromised container or privileged user that can alter namespaces. EPSS and KEV data are not available, but the inherent use‑after‑free nature and the potential for kernel denial‑of‑service or privilege escalation make the risk moderate to high in environments running an unpatched NFS server exposed to untrusted processes or containers.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the NFS server fix for 2.6.32 and later.
  • Prior to applying the patch, check that no processes keep open descriptors on /proc/fs/nfs/exports to avoid use‑after‑free during shutdown.
  • After updating, reboot the host or restart the kernel to reload all network namespace structures.
  • Ensure that any container runtimes that use NFS exports are restarted after the host kernel update to re‑initialize their namespaces.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.
Title NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:16:06.444Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31403

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:39.467

Modified: 2026-04-03T16:16:39.467

Link: CVE-2026-31403

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31403 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:23Z

Weaknesses