CVE-2026-31404 Overview
A Use-After-Free vulnerability has been identified in the Linux kernel's NFS server (NFSD) subsystem. The vulnerability exists in the svc_export_put() function, which incorrectly calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU (Read-Copy-Update) grace period completes. This race condition allows RCU readers in e_show() and c_show() to access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a proper reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path.
Critical Impact
This vulnerability can cause a NULL pointer dereference leading to a kernel crash (Denial of Service) on systems running NFS server services. Concurrent access patterns during cache cleanup operations can trigger the race condition.
Affected Products
- Linux kernel with NFSD (NFS server) enabled
- Systems running NFS export services
Discovery Timeline
- April 3, 2026 - CVE-2026-31404 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31404
Vulnerability Analysis
The vulnerability stems from improper synchronization between RCU-protected read operations and object deallocation in the NFSD export cache subsystem. The core issue involves a timing window where sub-objects (ex_path and ex_client) can be freed while RCU readers still access them.
The previous fix in commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") addressed part of the problem by moving kfree of ex_uuid and ex_stats into the call_rcu callback. However, path_put() and auth_domain_put() were intentionally left outside the RCU callback because these functions may sleep, and call_rcu callbacks execute in softirq context where sleeping is prohibited.
This incomplete fix created the race condition where the path and authentication domain structures could be deallocated while still being accessed by concurrent readers iterating through the export cache via /proc filesystem interfaces.
Root Cause
The root cause is the use of call_rcu/kfree_rcu for deferred cleanup, which cannot accommodate sleeping operations like path_put() and auth_domain_put(). These functions require process context but were being called before the RCU grace period completed, violating RCU's safety guarantees for concurrent readers.
The same problematic pattern exists in expkey_put(), which has an identical issue with ek_path and ek_client cleanup.
Attack Vector
An attacker or system condition that triggers concurrent NFS export cache cleanup operations (via cache_clean) while other processes are reading export information (e.g., through /proc filesystem access to e_show() or c_show()) can trigger the race condition. This results in a NULL pointer dereference in d_path, causing a kernel panic and system crash.
The vulnerability is exploitable locally by users with access to NFS export information and systems under heavy NFS cache churn. While the attack vector requires specific timing conditions, the impact is a complete denial of service through kernel crash.
Detection Methods for CVE-2026-31404
Indicators of Compromise
- Kernel panic or oops messages referencing d_path, e_show, or c_show functions
- System crashes on servers running NFS export services during cache cleanup operations
- NULL pointer dereference errors in kernel logs associated with NFSD subsystem
- Unexpected system reboots on NFS servers under load
Detection Strategies
- Monitor kernel logs for oops or panic messages containing references to nfsd, svc_export_put, or expkey_put functions
- Implement kernel crash dump analysis to identify race condition patterns in NFS export cache operations
- Deploy SentinelOne agents to detect anomalous kernel behavior and system crashes indicative of memory corruption
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture evidence of exploitation attempts
- Configure monitoring for NFS server availability and unexpected restarts
- Review system logs for patterns indicating repeated NFS export cache-related crashes
How to Mitigate CVE-2026-31404
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix replacing call_rcu/kfree_rcu with queue_rcu_work()
- Review NFS server configurations and reduce exposure of export cache interfaces where possible
- Consider temporarily disabling NFS services on critical systems until patches can be applied
Patch Information
The fix replaces call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside other resource releases.
A dedicated workqueue scopes the shutdown drain to only NFSD export release work items. The nfsd_export_shutdown() function uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed.
Kernel patches are available at the following locations:
Workarounds
- Limit access to NFS export cache information through /proc filesystem by restricting file permissions where possible
- Reduce frequency of export cache cleanup operations by adjusting NFS server configuration parameters
- Implement network segmentation to limit access to NFS servers from untrusted systems
- Consider using SentinelOne's runtime protection to detect and prevent exploitation attempts targeting kernel vulnerabilities
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
