CVE-2026-31404
Published: 03 April 2026
Summary
CVE-2026-31404 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31404 is a use-after-free vulnerability in the Linux kernel's NFSD (NFS server) component. The issue occurs in svc_export_put(), which immediately calls path_put() and auth_domain_put() upon the last reference drop to an export object, prior to the RCU grace period completing. Concurrent RCU readers in e_show() and c_show() access ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding references, allowing cache_clean to free sub-objects while they are still in use, resulting in a NULL pointer dereference.
According to its CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by a local attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, such as kernel crashes or potential privilege escalation through the NULL pointer dereference.
Kernel patches addressing the issue are available in stable repositories, including commits 2829e80d29b627886d12b5ea40856d56b516e67d, 48db892356d6cb80f6942885545de4a6dd8d2a29, and f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2. The fix replaces call_rcu/kfree_rcu with queue_rcu_work() to defer path_put(), auth_domain_put(), and related cleanups (including ex_uuid, ex_stats, and expkey_put equivalents) to process context after the RCU grace period. A dedicated workqueue limits shutdown draining to NFSD export releases, with nfsd_export_shutdown() using rcu_barrier() and flush_workqueue() for completion before cache destruction.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18790
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show()…
more
access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <jlayton@kernel.org>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel NFSD enables NULL dereference for privilege escalation (T1068) or system crash/DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through application of available Linux kernel patches directly resolves the use-after-free race condition in NFSD export cleanup before the RCU grace period.
Memory protection mechanisms such as kernel address space randomization and stack canaries mitigate exploitation of the use-after-free vulnerability leading to NULL pointer dereference.
Vulnerability scanning detects unpatched kernels affected by CVE-2026-31404 in the NFSD component, enabling proactive flaw remediation.