Skip to main content

Linux CVE-2026-31404

| EUVDEUVD-2026-18790 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
48db892356d6cb80f6942885545de4a6dd8d2a29,2829e80d29b627886d12b5ea40856d56b516e67d
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18790
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Defer sub-object cleanup in export put callbacks

svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path.

Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context.

Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client.

A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed.

Reviwed-by: Jeff Layton <jlayton@kernel.org>

AnalysisAI

NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.

Technical ContextAI

The Linux kernel NFSD (Network File System Daemon) subsystem maintains export caches using RCU (Read-Copy-Update) synchronization for lock-free reading. The vulnerability involves two cache structures: svc_export (containing ex_path and ex_client) and expkey (containing ek_path and ek_client). The root cause is a use-after-free (UAF) condition in the reference counting pattern where cleanup callbacks (svc_export_put and expkey_put) were using call_rcu/kfree_rcu to defer only string allocations (ex_uuid, ex_stats) but executing blocking operations (path_put, auth_domain_put) immediately upon reference drop. RCU readers in e_show() and c_show() access these objects via seq_path/d_path and seq_escape without holding references, assuming the RCU grace period protects against concurrent deallocation. The fix replaces call_rcu with queue_rcu_work, which defers all cleanup-including blocking path and auth_domain operations-to a dedicated workqueue, ensuring completion after the RCU grace period.

RemediationAI

Apply kernel patches from the upstream Linux repository: commits 2829e80d29b627886d12b5ea40856d56b516e67d, f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2, or 48db892356d6cb80f6942885545de4a6dd8d2a29, or update to a kernel version incorporating these fixes. Distributions should backport the patches or release updated kernels that include the RCU-aware queue_rcu_work deferred cleanup. Temporary mitigation for systems unable to patch immediately: disable NFSD if NFS export functionality is not required, or minimize export cache churn by avoiding frequent mount/unmount cycles. The fix requires kernel rebuild and reboot to take effect. Verify kernel version post-patch with 'uname -r' and confirm NFSD is functioning correctly before returning to production.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy