{ "threat_severity" : "Moderate", "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd", "id" : "2454874", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454874" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq->private, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd->net, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.", "A flaw was found in the Linux kernel's Network File System Daemon (NFSD) component. A local user can exploit this vulnerability by opening the `/proc/fs/nfs/exports` file and then causing the associated network namespace to be destroyed. Subsequent attempts to read from the still-open file descriptor will lead to dereferencing freed memory, which can result in a system crash or a Denial of Service (DoS)." ], "statement" : "`exports_proc_open()` cached export cache without pinning `struct net`. After namespace teardown, `nfsd_export_shutdown()` freed the cache while the fd remained open. Holding a net reference for the fd lifetime prevents the UAF. Relevant to NFS server and container or namespace workflows.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31403\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31403\nhttps://lore.kernel.org/linux-cve-announce/2026040328-CVE-2026-31403-5446@gregkh/T" ], "name" : "CVE-2026-31403", "csaw" : false }