Description
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Defer sub-object cleanup in export put callbacks

svc_export_put() calls path_put() and auth_domain_put() immediately
when the last reference drops, before the RCU grace period. RCU
readers in e_show() and c_show() access both ex_path (via
seq_path/d_path) and ex_client->name (via seq_escape) without
holding a reference. If cache_clean removes the entry and drops the
last reference concurrently, the sub-objects are freed while still
in use, producing a NULL pointer dereference in d_path.

Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or
ex_stats") moved kfree of ex_uuid and ex_stats into the
call_rcu callback, but left path_put() and auth_domain_put() running
before the grace period because both may sleep and call_rcu
callbacks execute in softirq context.

Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the
callback until after the RCU grace period and executes it in process
context where sleeping is permitted. This allows path_put() and
auth_domain_put() to be moved into the deferred callback alongside
the other resource releases. Apply the same fix to expkey_put(),
which has the identical pattern with ek_path and ek_client.

A dedicated workqueue scopes the shutdown drain to only NFSD
export release work items; flushing the shared
system_unbound_wq would stall on unrelated work from other
subsystems. nfsd_export_shutdown() uses rcu_barrier() followed
by flush_workqueue() to ensure all deferred release callbacks
complete before the export caches are destroyed.

Reviwed-by: Jeff Layton <jlayton@kernel.org>
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash due to null pointer dereference in NFSD leading to denial of service
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Linux NFS server causes a use‑after‑free when export objects are released prematurely. Clean‑up functions free the path and client name before the RCU grace period ends, so an RCU reader that accesses these objects can dereference a NULL pointer and trigger a kernel panic. The crash disrupts all kernel operations, effectively denying service to the host.

Affected Systems

All Linux kernels that include the NFS daemon but have not incorporated commit 2530766492ec are vulnerable. Exact version boundaries are not listed, so any kernel built before this commit—across mainstream distributions and custom builds—may be affected. Systems that never run the nfsd service are not susceptible.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score is below 1 %, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must first obtain code execution at kernel level or leverage a privileged NFS operation to trigger the affected code path; the result is a denial‑of‑service rather than arbitrary code execution.

Generated by OpenCVE AI on April 28, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 2530766492ec to defer NFSD export cleanup until after the RCU grace period
  • If a kernel upgrade cannot be performed immediately, disable or restrict access to the NFS service until the patch is available
  • Monitor kernel logs for crashes or denial‑of‑service incidents and verify that high‑availability or failover mechanisms can maintain service continuity

Generated by OpenCVE AI on April 28, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <jlayton@kernel.org>
Title NFSD: Defer sub-object cleanup in export put callbacks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:51.403Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31404

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:39.643

Modified: 2026-04-27T14:16:36.407

Link: CVE-2026-31404

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31404 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses