Description
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.

Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free leading to possible crash
Action: Patch immediately
AI Analysis

Impact

The NFS daemon creates a /proc/fs/nfs/exports entry that stores the current network namespace without taking a reference on it; when the namespace is torn down after the file descriptor is open, the export cache is freed. Subsequent reads on the open descriptor then dereference freed memory, which can crash the kernel or destabilize the system.

Affected Systems

All Linux systems that compile and load the NFSD module are affected. The vulnerability is present in any kernel that keeps the /proc/fs/nfs/exports entry active for the lifetime of the module, irrespective of the kernel release, so users should verify whether their running kernel contains this module and the vulnerable code path.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score is below 1% and the vulnerability is not in the CISA KEV catalog, which lowers the likelihood of exploitation. If an attacker can open the /proc/fs/nfs/exports file and then alter or destroy the network namespace (a scenario that can occur in container or virtualized environments), the use‑after‑free could be triggered. The impact is primarily a denial of service, although the description does not explicitly state arbitrary code execution. Therefore the risk is moderate, largely dependent on the local access and namespace manipulation capabilities of the threat actor.

Generated by OpenCVE AI on April 28, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that contains the NFSD patch to hold a reference on the network namespace for the lifetime of the exports file descriptor.
  • Ensure that any processes that open /proc/fs/nfs/exports do not perform a namespace teardown (e.g., avoid setns() to a new namespace) while the file descriptor remains open, reducing the chance of the cache being freed prematurely.
  • Change the permissions or ownership of the /proc/fs/nfs/exports file to restrict read access to privileged users, limiting the ability of an attacker to trigger the use‑after‑free when the namespace is torn down.

Generated by OpenCVE AI on April 28, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.
Title NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:50.491Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31403

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:39.467

Modified: 2026-04-27T14:16:36.280

Link: CVE-2026-31403

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31403 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses