Skip to main content

Linux CVE-2026-31403

| EUVDEUVD-2026-18788 HIGH
2026-04-03 Linux GHSA-85m5-f4f3-q6f5
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
6a8d70e2ad6aad2c345a5048edcb8168036f97d6
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18788
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table.

Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.

AnalysisAI

Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports proc entry allows information disclosure when a network namespace is destroyed while an exports file descriptor remains open. The vulnerability occurs because exports_proc_open() captures a network namespace reference without holding a refcount, enabling nfsd_net_exit() to free the export cache while the fd is still active, leading to subsequent reads dereferencing freed memory. The fix holds a struct net reference for the lifetime of the

Technical ContextAI

The Linux kernel NFSD (NFS Server Daemon) module maintains an /proc/fs/nfs/exports proc entry that persists for the module's lifetime. This entry uses a seq_file interface (exports_proc_open) to expose NFS export cache information to userspace. The vulnerability is rooted in improper lifetime management of network namespace (struct net) references within the cache_detail structure. When a process opens /proc/fs/nfs/exports after executing setns() to change its network namespace, the proc handler stores the namespace's svc_export_cache in the seq_file private data but does not increment the namespace's reference counter. Subsequently, if the namespace is destroyed (e.g., during container teardown), nfsd_net_exit() is invoked, which calls nfsd_export_shutdown() to free the cache_detail. Any subsequent read on the still-open file descriptor then dereferences this freed memory, accessing an invalid hash table. The root cause is a use-after-free (CWE-416 adjacent, though more specifically a reference counting issue) stemming from the mismatch between the proc entry's lifetime (module-wide) and the namespace's lifetime (application-specific). The fix leverages the fact that cache_detail already maintains a struct net pointer (cd->net, set during cache_create_net()), allowing exports_release() to acquire and hold a reference on that namespace without per-file storage overhead.

RemediationAI

Apply the upstream fix by updating to a patched Linux kernel version that includes one or more of the referenced commits (c7f406fb341d6747634b8b1fa5461656e5e56076 and related). Check your distribution's kernel security advisories and stable kernel releases (https://git.kernel.org/stable/) to identify the earliest patched kernel version for your series (e.g., 5.10.x, 5.15.x, 6.1.x). For distributions with backported patches, install the security-updated kernel package via your package manager (apt, yum, zypper, etc.). No workaround is available short of disabling NFSD or blocking access to /proc/fs/nfs/exports; however, the most practical interim mitigation is to restrict setns() usage to trusted processes and avoid opening /proc/fs/nfs/exports in untrusted namespace contexts until patching is completed. Verify patch application by confirming the kernel version matches or exceeds the stable releases containing these commits.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy