{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31403", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-03T15:16:06.444Z", "dateUpdated": "2026-05-11T22:08:01.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:01.908Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq->private, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd->net, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "76740c28050dc6db2f5550f1325b00a11bbb3255", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "c7f406fb341d6747634b8b1fa5461656e5e56076", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "d1a19217995df9c7e4118f5a2820c5032fef2945", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "e3d77f935639e6ae4b381c80464c31df998d61f4", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "6a8d70e2ad6aad2c345a5048edcb8168036f97d6", "status": "affected", "versionType": "git"}, {"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5", "lessThan": "e7fcf179b82d3a3730fd8615da01b087cc654d0b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfsctl.c"], "versions": [{"version": "3.9", "status": "affected"}, {"version": "0", "lessThan": "3.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"}, {"url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"}, {"url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"}, {"url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"}, {"url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"}, {"url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"}, {"url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"}], "title": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq->private, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd->net, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage."}], "id": "CVE-2026-31403", "lastModified": "2026-04-27T14:16:36.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:39.467", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd", "id": "2454874", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454874"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Network File System Daemon (NFSD) component. A local user can exploit this vulnerability by opening the `/proc/fs/nfs/exports` file and then causing the associated network namespace to be destroyed. Subsequent attempts to read from the still-open file descriptor will lead to dereferencing freed memory, which can result in a system crash or a Denial of Service (DoS)."], "name": "CVE-2026-31403", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31403\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31403\nhttps://lore.kernel.org/linux-cve-announce/2026040328-CVE-2026-31403-5446@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,c7f406fb341d6747634b8b1fa5461656e5e56076)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,d1a19217995df9c7e4118f5a2820c5032fef2945)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,e3d77f935639e6ae4b381c80464c31df998d61f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,6a8d70e2ad6aad2c345a5048edcb8168036f97d6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5,e7fcf179b82d3a3730fd8615da01b087cc654d0b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:35:11.001376+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that contains the NFSD patch to hold a reference on the network namespace for the lifetime of the exports file descriptor.", "Ensure that any processes that open /proc/fs/nfs/exports do not perform a namespace teardown (e.g., avoid setns() to a new namespace) while the file descriptor remains open, reducing the chance of the cache being freed prematurely.", "Change the permissions or ownership of the /proc/fs/nfs/exports file to restrict read access to privileged users, limiting the ability of an attacker to trigger the use\u2011after\u2011free when the namespace is torn down."], "summary": {"action": "Patch immediately", "impact": "Use\u2011After\u2011Free leading to possible crash"}, "threat_synthesis": {"affected_systems": "All Linux systems that compile and load the NFSD module are affected. The vulnerability is present in any kernel that keeps the /proc/fs/nfs/exports entry active for the lifetime of the module, irrespective of the kernel release, so users should verify whether their running kernel contains this module and the vulnerable code path.", "description_and_impact": "The NFS daemon creates a /proc/fs/nfs/exports entry that stores the current network namespace without taking a reference on it; when the namespace is torn down after the file descriptor is open, the export cache is freed. Subsequent reads on the open descriptor then dereference freed memory, which can crash the kernel or destabilize the system.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, but the EPSS score is below 1% and the vulnerability is not in the CISA KEV catalog, which lowers the likelihood of exploitation. If an attacker can open the /proc/fs/nfs/exports file and then alter or destroy the network namespace (a scenario that can occur in container or virtualized environments), the use\u2011after\u2011free could be triggered. The impact is primarily a denial of service, although the description does not explicitly state arbitrary code execution. Therefore the risk is moderate, largely dependent on the local access and namespace manipulation capabilities of the threat actor."}}}}, "created": "2026-04-03T21:15:23.662740+00:00", "updated": "2026-04-28T16:45:06.165068+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}