CVE-2026-31400 Overview
A memory leak vulnerability has been identified in the Linux kernel's sunrpc subsystem, specifically in the cache_release() function. When a reader's file descriptor is closed while in the middle of reading a cache_request (when rp->offset != 0), the cache_release() function decrements the request's readers count but fails to check whether it should free the request, leading to a resource leak.
Critical Impact
This memory leak vulnerability in the Linux kernel's sunrpc subsystem can lead to resource exhaustion over time, potentially causing system instability or denial of service conditions on systems utilizing NFS or other RPC-based services.
Affected Products
- Linux Kernel (sunrpc subsystem)
- Systems utilizing NFS (Network File System)
- Systems with RPC-based cache operations
Discovery Timeline
- 2026-04-03 - CVE-2026-31400 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-31400
Vulnerability Analysis
The vulnerability exists in the cache_release() function within the Linux kernel's sunrpc cache subsystem. The function is responsible for handling cleanup when a file descriptor associated with a cache request is closed. However, it contains a logic flaw that results in memory not being properly freed under specific conditions.
In the normal code path within cache_read(), when the readers count drops to 0 and the CACHE_PENDING flag is clear, the cache_request is properly removed from the queue and freed along with its buffer and cache_head reference. The cache_release() function, which handles file descriptor closure, lacks this essential cleanup logic.
Root Cause
The root cause is an incomplete cleanup path in cache_release(). The function properly decrements the readers count when a file descriptor is closed mid-read, but it fails to check whether the request should be freed when readers reaches 0. This creates a race condition scenario where:
- A reader begins reading a cache request (rp->offset != 0)
- The CACHE_PENDING flag transitions from set to clear while readers is still non-zero
- The file descriptor is closed, and cache_release() decrements readers to 0
- No cleanup occurs because cache_dequeue() only runs during the CACHE_PENDING transition
- The cache_request structure and its associated memory remain allocated but unreachable
Attack Vector
The vulnerability can be triggered through normal system operations involving NFS or RPC-based services where cache operations are interrupted. While exploitation requires specific timing conditions, sustained triggering could lead to memory exhaustion. The attack vector involves:
- Local access to systems running NFS/RPC services
- Ability to create and close file descriptors associated with cache operations
- Repeated interruption of cache read operations to trigger the memory leak
The fix adds the same cleanup logic from cache_read() to cache_release(): after decrementing readers, the function now checks if it reached 0 with CACHE_PENDING clear, and if so, dequeues and frees the cache_request.
Detection Methods for CVE-2026-31400
Indicators of Compromise
- Gradual increase in kernel memory usage over time on systems running NFS services
- Memory allocation failures in the sunrpc subsystem logged in kernel messages
- System instability or performance degradation correlated with RPC/NFS activity
- Slab allocator statistics showing abnormal growth in sunrpc-related caches
Detection Strategies
- Monitor /proc/meminfo and /proc/slabinfo for unusual memory growth patterns in kernel caches
- Implement alerting on kernel memory exhaustion events related to sunrpc operations
- Use kernel debugging tools like kmemleak to detect unreferenced memory allocations
- Review system logs for OOM (Out of Memory) killer events on NFS server systems
Monitoring Recommendations
- Establish baseline memory usage metrics for systems running NFS services
- Deploy continuous monitoring of kernel memory subsystem statistics
- Configure alerts for memory growth trends that deviate from established baselines
- Implement regular system reboots as a temporary mitigation for affected production systems
How to Mitigate CVE-2026-31400
Immediate Actions Required
- Review current Linux kernel version and identify if the sunrpc subsystem is in use
- Plan kernel update maintenance windows for affected systems
- Monitor affected systems for signs of memory exhaustion
- Consider limiting exposure of NFS services to trusted networks
Patch Information
Multiple patches have been released to address this vulnerability across different kernel versions. The fix adds the same cleanup logic from cache_read() to cache_release() to ensure proper memory deallocation when readers drops to 0 with CACHE_PENDING clear.
Available patches:
- Kernel Patch Commit 17ad31b
- Kernel Patch Commit 301670d
- Kernel Patch Commit 373457d
- Kernel Patch Commit 41f6ba6
- Kernel Patch Commit 7bcd5e3
- Kernel Patch Commit be5c359
Workarounds
- Schedule periodic system reboots to reclaim leaked memory on production systems where immediate patching is not possible
- Reduce NFS/RPC service exposure by limiting access to trusted clients and networks
- Monitor memory usage and implement automated alerts to trigger maintenance actions before resource exhaustion
- Consider disabling unused RPC-based services if they are not required for system operation
# Check current kernel version and sunrpc module status
uname -r
lsmod | grep sunrpc
# Monitor sunrpc cache memory usage
cat /proc/slabinfo | grep -i sunrpc
# Check for memory pressure indicators
dmesg | grep -i "out of memory\|oom\|sunrpc"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
