HOMEVULNERABILITIESCVE-2026-31404
NONE

CVE-2026-31404

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Defer sub-object cleanup in export put callbacks

svc_export_put() calls path_put() and auth_domain_put() immediately

when the last reference drops, before the RCU grace period. RCU

readers in e_show() and c_show() access both ex_path (via

seq_path/d_path) and ex_client->name (via seq_escape) without

holding a reference. If cache_clean removes the entry and drops the

last reference concurrently, the sub-objects are freed while still

in use, producing a NULL pointer dereference in d_path.

Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or

ex_stats") moved kfree of ex_uuid and ex_stats into the

call_rcu callback, but left path_put() and auth_domain_put() running

before the grace period because both may sleep and call_rcu

callbacks execute in softirq context.

Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the

callback until after the RCU grace period and executes it in process

context where sleeping is permitted. This allows path_put() and

auth_domain_put() to be moved into the deferred callback alongside

the other resource releases. Apply the same fix to expkey_put(),

which has the identical pattern with ek_path and ek_client.

A dedicated workqueue scopes the shutdown drain to only NFSD

export release work items; flushing the shared

system_unbound_wq would stall on unrelated work from other

subsystems. nfsd_export_shutdown() uses rcu_barrier() followed

by flush_workqueue() to ensure all deferred release callbacks

complete before the export caches are destroyed.

Reviwed-by: Jeff Layton <[email protected]>

NVD Source

Technical Analysis

CVE-2026-31404 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-31404
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31404 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.