CVE-2026-31404

Vulnerability

Description

CVE-2026-31404 is a use-after-free vulnerability in the Linux kernel's NFS daemon (NFSD). The root cause lies in the svc_export_put() and expkey_put() callback functions, which release sub-objects (ex_path and ex_client->name via path_put() and auth_domain_put()) immediately when the last reference drops, before the RCU grace period completes. RCU readers in e_show() and c_show() access these same sub-objects without holding a separate reference, leading to a NULL pointer dereference in d_path when concurrent cache cleanup frees the objects while still in use [1].

Exploitation

An attacker would need to trigger a race condition between an RCU read-side critical section (e.g., via a proc filesystem read) and a concurrent cache entry removal that drops the last reference. This requires local access to the NFSD export tables, typically through the /proc/fs/nfsd/exports or /proc/net/rpc/nfsd.fh/channel interfaces. The vulnerability does not require authentication beyond standard file system permissions, and the attack surface is limited to systems where NFSD is actively managing exports [2].

Impact

Successful exploitation results in a kernel NULL pointer dereference, leading to a denial of service (system crash or hang). The CVSS v3 score of 7.8 (High) reflects the high availability impact. There is no evidence that this can be leveraged for privilege escalation or arbitrary code execution, as the bug only manifests as a memory access violation when the freed path or auth domain is accessed [3].

Mitigation

The fix replaces call_rcu/kfree_rcu with queue_rcu_work(), deferring all sub-object cleanup (including path_put() and auth_domain_put()) to a dedicated workqueue that runs in process context after the RCU grace period. Patches have been backported to stable kernel trees; all users should update to a kernel containing the fix. NFSD administrators may also consider restricting access to export-related proc files as a temporary workaround [1][3].