Description
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Defer sub-object cleanup in export put callbacks

svc_export_put() calls path_put() and auth_domain_put() immediately
when the last reference drops, before the RCU grace period. RCU
readers in e_show() and c_show() access both ex_path (via
seq_path/d_path) and ex_client->name (via seq_escape) without
holding a reference. If cache_clean removes the entry and drops the
last reference concurrently, the sub-objects are freed while still
in use, producing a NULL pointer dereference in d_path.

Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or
ex_stats") moved kfree of ex_uuid and ex_stats into the
call_rcu callback, but left path_put() and auth_domain_put() running
before the grace period because both may sleep and call_rcu
callbacks execute in softirq context.

Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the
callback until after the RCU grace period and executes it in process
context where sleeping is permitted. This allows path_put() and
auth_domain_put() to be moved into the deferred callback alongside
the other resource releases. Apply the same fix to expkey_put(),
which has the identical pattern with ek_path and ek_client.

A dedicated workqueue scopes the shutdown drain to only NFSD
export release work items; flushing the shared
system_unbound_wq would stall on unrelated work from other
subsystems. nfsd_export_shutdown() uses rcu_barrier() followed
by flush_workqueue() to ensure all deferred release callbacks
complete before the export caches are destroyed.

Reviwed-by: Jeff Layton <jlayton@kernel.org>
Published: 2026-04-03
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Kernel Crash / Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel includes a use‑after‑free bug in the NFSD export put callbacks. If an NFS client is dropped while its export cache entry is still being accessed, the kernel may free the underlying path and client objects before the RCU grace period ends. This can lead to a NULL pointer dereference in d_path, causing a kernel panic. The flaw is a classic use‑after‑free error that can allow an attacker to crash the system or potentially execute code with kernel privileges.

Affected Systems

This flaw affects all deployments of the Linux kernel running the Network File System (NFS) server (nfsv4). No specific vendor or product version is listed, so any kernel built from upstream sources in which the commit is present is potentially impacted.

Risk and Exploitability

The severity cannot be quantified in CVSS terms in the supplied data, but the vulnerability is exploitable remotely over the network via the NFS protocol. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers would need to interact with a vulnerable NFS server, and the bug is triggered during the cache invalidate path, so it requires a specially crafted request or concurrent client disconnect. Nonetheless, the bug grants a clear denial‑of‑service vector that can be used as part of a larger compromise.

Generated by OpenCVE AI on April 3, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a patched release that contains the fix commit 2530766492ec or later.
  • If a kernel update is not immediately feasible, restrict or disable the NFS service to limit exposure until a patch is applied.

Generated by OpenCVE AI on April 3, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <jlayton@kernel.org>
Title NFSD: Defer sub-object cleanup in export put callbacks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:16:07.207Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31404

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:39.643

Modified: 2026-04-03T16:16:39.643

Link: CVE-2026-31404

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31404 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:22Z

Weaknesses