NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.

Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.

Basic Information

ID CVE-2026-31403

Source Linux

Published Apr 3, 2026 at 15:16

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5

Affected Versions Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5
Linux Linux 3.9

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq->private, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd->net, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.",
    "published": "2026-04-03T15:16:06.444Z",
    "modified": "2026-04-27T14:02:50.491Z",
    "type": "cve",
    "title": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255\nhttps://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076\nhttps://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945\nhttps://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4\nhttps://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6\nhttps://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6\nhttps://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b",
    "id": "CVE-2026-31403",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5\nLinux Linux 3.9",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd_CVE-2026-31403

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply