{"id":"CVE-2026-31403","summary":"NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.","modified":"2026-04-28T04:12:41.358010Z","published":"2026-04-03T15:16:06.444Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31403.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31403.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31403"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5"},{"fixed":"76740c28050dc6db2f5550f1325b00a11bbb3255"},{"fixed":"c7f406fb341d6747634b8b1fa5461656e5e56076"},{"fixed":"d1a19217995df9c7e4118f5a2820c5032fef2945"},{"fixed":"e3d77f935639e6ae4b381c80464c31df998d61f4"},{"fixed":"db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"},{"fixed":"6a8d70e2ad6aad2c345a5048edcb8168036f97d6"},{"fixed":"e7fcf179b82d3a3730fd8615da01b087cc654d0b"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31403.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.9.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31403.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}