CVE-2026-31403

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-03-09 CVE Reserved
2026-04-03 CVE Published
2026-04-09 EPSS Updated
2026-04-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076	2026-03-25
https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945	2026-03-25
https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4	2026-03-25
https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6	2026-03-25
https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6	2026-03-25
https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b	2026-03-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.1.167 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.167"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.6.130 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.130"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.12.78 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.12.78"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.18.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.18.20"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.19.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.19.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 7.0"		en		Affected