CVE-2026-31404 Overview
CVE-2026-31404 is a use-after-free vulnerability in the Linux kernel's NFS server (NFSD) subsystem. The flaw exists in the export cache cleanup path, specifically in svc_export_put() and expkey_put(). These callbacks release sub-objects such as ex_path and ex_client immediately when the last reference drops, before the RCU grace period completes. Concurrent RCU readers in e_show() and c_show() can then dereference freed memory through seq_path, d_path, and seq_escape, producing a NULL pointer dereference in d_path. The vulnerability affects Linux systems running the in-kernel NFS server.
Critical Impact
A local attacker triggering concurrent NFSD export cache operations can cause a kernel NULL pointer dereference, leading to denial of service or potential memory corruption.
Affected Products
- Linux kernel NFSD subsystem (in-kernel NFS server)
- Distributions shipping affected kernel revisions prior to the fix commits
- Systems exporting filesystems via NFS using kernel NFSD
Discovery Timeline
- 2026-04-03 - CVE-2026-31404 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31404
Vulnerability Analysis
The NFSD export cache stores svc_export and svc_expkey entries protected by RCU. Readers walking the cache through /proc/net/rpc/nfsd.export/content and nfsd.fh/content access fields such as ex_path and ex_client->name without acquiring a reference. The original svc_export_put() implementation called path_put() and auth_domain_put() synchronously when the last reference dropped.
When cache_clean removes an entry and drops the final reference concurrently with a reader, the underlying path and auth_domain structures are freed while still in use by the reader. The reader subsequently dereferences freed memory inside d_path, triggering a NULL pointer dereference [CWE-416].
A prior fix in commit 2530766492ec moved kfree of ex_uuid and ex_stats into a call_rcu callback. However, path_put() and auth_domain_put() can sleep, and call_rcu callbacks execute in softirq context where sleeping is forbidden. These releases therefore remained outside the grace period.
Root Cause
The root cause is incorrect lifetime management of sub-objects in RCU-protected cache entries. Resources requiring sleepable cleanup were released before the RCU grace period expired, violating the read-side guarantee that pointers remain valid for the duration of the RCU critical section.
Attack Vector
A local user with the ability to read NFSD export procfs entries while exports are being modified can race the reader against cache_clean. The vector is local with low privileges and no user interaction. Successful exploitation produces a kernel-level fault impacting confidentiality, integrity, and availability of the host.
No public proof-of-concept code has been published. Refer to the upstream commits for technical context: Kernel Git Commit 2829e80, Kernel Git Commit 48db892, and Kernel Git Commit f5ab1be.
Detection Methods for CVE-2026-31404
Indicators of Compromise
- Kernel oops or panic messages referencing d_path, svc_export_put, or expkey_put in dmesg or /var/log/kern.log.
- NULL pointer dereference stack traces involving e_show, c_show, seq_path, or seq_escape.
- Unexpected NFSD service restarts or hung tasks on systems under export cache churn.
Detection Strategies
- Monitor kernel logs for crash signatures correlated with reads of /proc/net/rpc/nfsd.export/content or nfsd.fh/content.
- Track kernel version inventory across NFS server hosts to identify unpatched systems.
- Alert on local users invoking export cache operations concurrently with cache flushes via exportfs -f.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging pipeline for cross-host correlation.
- Watch for repeated NFSD soft lockups or RCU stall warnings that may precede or follow exploitation attempts.
- Audit local account activity on NFS servers, including reads of NFSD procfs entries by non-administrative users.
How to Mitigate CVE-2026-31404
Immediate Actions Required
- Apply the upstream kernel patches referenced in commits 2829e80, 48db892, and f5ab1be or upgrade to a distribution kernel that includes them.
- Restrict local shell access on NFS servers to trusted administrators until patches are deployed.
- Limit read access to NFSD procfs entries where operationally feasible.
Patch Information
The fix replaces call_rcu/kfree_rcu with queue_rcu_work(), deferring cleanup until after the RCU grace period and running it in process context where sleeping is permitted. path_put() and auth_domain_put() are moved into the deferred callback alongside the other resource releases. A dedicated workqueue scopes the shutdown drain to NFSD export release work items. nfsd_export_shutdown() calls rcu_barrier() followed by flush_workqueue() to ensure deferred callbacks complete before cache destruction. See the upstream commits for the canonical patches.
Workarounds
- Disable the in-kernel NFS server on hosts that do not require it by stopping and masking the nfs-server service.
- Reduce export cache churn by avoiding frequent exportfs -f or exportfs -r invocations during periods of heavy NFSD activity.
- Tighten local access controls to prevent untrusted users from interacting with NFSD procfs interfaces.
# Configuration example: disable kernel NFSD where not required
sudo systemctl stop nfs-server
sudo systemctl mask nfs-server
# Verify running kernel includes the fix commits
uname -r
rpm -q --changelog kernel | grep -E '2829e80|48db892|f5ab1be'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
