Cyber Resilience

CVE-2026-31404

HighUpdated

Published: 03 April 2026

Published
03 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31404 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31404 is a use-after-free vulnerability in the Linux kernel's NFSD (NFS server) component. The issue occurs in svc_export_put(), which immediately calls path_put() and auth_domain_put() upon the last reference drop to an export object, prior to the RCU grace period completing. Concurrent RCU readers in e_show() and c_show() access ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding references, allowing cache_clean to free sub-objects while they are still in use, resulting in a NULL pointer dereference.

According to its CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by a local attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, such as kernel crashes or potential privilege escalation through the NULL pointer dereference.

Kernel patches addressing the issue are available in stable repositories, including commits 2829e80d29b627886d12b5ea40856d56b516e67d, 48db892356d6cb80f6942885545de4a6dd8d2a29, and f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2. The fix replaces call_rcu/kfree_rcu with queue_rcu_work() to defer path_put(), auth_domain_put(), and related cleanups (including ex_uuid, ex_stats, and expkey_put equivalents) to process context after the RCU grace period. A dedicated workqueue limits shutdown draining to NFSD export releases, with nfsd_export_shutdown() using rcu_barrier() and flush_workqueue() for completion before cache destruction.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show()…

more

access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <jlayton@kernel.org>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local use-after-free in kernel NFSD enables NULL dereference for privilege escalation (T1068) or system crash/DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23198Same product: Linux Linux Kernel
CVE-2026-31657Same product: Linux Linux Kernel
CVE-2026-31397Same product: Linux Linux Kernel
CVE-2026-22992Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2026-31453Same product: Linux Linux Kernel
CVE-2026-31600Same product: Linux Linux Kernel
CVE-2026-22998Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-31638Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.14 — 6.18.20 · 6.19 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through application of available Linux kernel patches directly resolves the use-after-free race condition in NFSD export cleanup before the RCU grace period.

prevent

Memory protection mechanisms such as kernel address space randomization and stack canaries mitigate exploitation of the use-after-free vulnerability leading to NULL pointer dereference.

detect

Vulnerability scanning detects unpatched kernels affected by CVE-2026-31404 in the NFSD component, enabling proactive flaw remediation.

References