CVE-2026-31403

Vulnerability

Overview

CVE-2026-31403 describes a use-after-free vulnerability in the Linux kernel's NFS server (NFSD). The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. When exports_proc_open() is called, it captures the caller's current network namespace and stores a pointer to its svc_export_cache in the seq_file's private data, but it does not take a reference on the namespace. This means that if the namespace is subsequently torn down (for example, when a container is destroyed after the opener calls setns() to a different namespace), nfsd_net_exit() will call nfsd_export_shutdown(), which frees the cache. Any subsequent read on the still-open file descriptor will then dereference the freed cache_detail, walking a freed hash table [1][2].

Exploitation

Scenario

The attack surface is local; an attacker must have the ability to open /proc/fs/nfs/exports and then trigger namespace teardown while keeping the file descriptor open. This is plausible in container environments where a process inside a container opens the file, switches namespaces, and then the container is destroyed. The attacker does not need any special privileges beyond being able to read the proc file and influence namespace lifecycle [3][4].

Impact

Successful exploitation leads to a use-after-free condition. This can result in a kernel crash (denial of service) or potentially arbitrary code execution, depending on the state of the freed memory. The CVSS v3 score of 7.8 (High) reflects the possibility of local privilege escalation or system compromise [1][2].

Mitigation

The fix, committed in the Linux kernel stable tree (commits db4a9f99b12a, c7f406fb341d, d1a19217995, e3d77f93563), holds a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running while any exports fd is open, thus preventing the cache from being freed prematurely. Users should apply the latest kernel updates to resolve this vulnerability [1][2][3][4].