CVE-2026-31403

HIGH EPSS 2.4%
Published Apr 3, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 3, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥3.9  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b
    Patch