CVE-2026-31403
Published: 03 April 2026
Summary
CVE-2026-31403 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31403 is a use-after-free vulnerability in the Linux kernel's NFSD component, specifically involving the /proc/fs/nfs/exports proc entry. This entry persists for the module's lifetime and is created at module init. The exports_proc_open() function captures the caller's current network namespace and stores its svc_export_cache in seq->private without taking a reference on the namespace. If the namespace is torn down—such as during container destruction after the opener performs a setns() to a different namespace—nfsd_net_exit() calls nfsd_export_shutdown(), freeing the cache. Subsequent reads on the still-open file descriptor then dereference the freed cache_detail, walking a freed hash table.
A local attacker with low privileges can exploit this vulnerability, as indicated by its CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker opens the /proc/fs/nfs/exports file descriptor, switches network namespaces via setns(), and triggers teardown of the original namespace (e.g., container destruction). This causes the use-after-free, allowing subsequent reads to access freed memory structures like the cache_detail and hash table, potentially leading to high confidentiality, integrity, and availability impacts such as arbitrary code execution or system crashes.
Mitigation involves applying Linux kernel patches that hold a reference on the struct net for the lifetime of the open file descriptor, preventing nfsd_net_exit() and nfsd_export_shutdown() from freeing the cache while any exports fd is open. The cache_detail stores its net pointer (cd->net), enabling exports_release() to retrieve it without per-file storage. Stable backports are available at: https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6, https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255, https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076, https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945, and https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18788
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current…
more
network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Linux kernel NFSD (/proc/fs/nfs/exports) allows local low-privileged attacker to trigger memory corruption leading to arbitrary code execution or crashes, directly enabling local privilege escalation via kernel exploit.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of the use-after-free flaw in Linux kernel NFSD via application of stable backported patches.
RA-5 requires vulnerability scanning that detects CVE-2026-31403 in kernel versions, triggering remediation to prevent exploitation.
SI-16 memory protections such as ASLR and non-executable memory regions hinder exploitation of the NFSD use-after-free dereference.