Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports handling

IdentifiersCVE-2026-31403CWE-416

CVE-2026-31403 is a use-after-free vulnerability in the Linux kernel NFSD subsystem involving the /proc/fs/nfs/exports proc entry. The proc entry is created at module initialization and persists for the lifetime of the module. In the vulnerable code path, exports_proc_open() captures the caller's current network namespace and stores that namespace's svc_export_cache in seq->private, but does not take a reference on the associated struct net. If that network namespace is later torn down, nfsd_net_exit() invokes nfsd_export_shutdown(), which frees the export cache. A process that still holds an open file descriptor for /proc/fs/nfs/exports can then perform subsequent reads that dereference the freed cache_detail structure and walk a freed hash table. The fix is to hold a reference to the network namespace for the lifetime of the open exports file descriptor and release it in exports_release(), using the cache_detail net pointer already stored in cd->net.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger dereference of freed kernel memory in the NFSD export cache path, resulting in a kernel use-after-free. This can lead to kernel memory corruption, system instability, crashes, and potentially compromise of confidentiality, integrity, and availability. The supplied context indicates high impact across C, I, and A in published CVSS assessments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local access to systems that run NFSD and by limiting the ability of users or containers to interact with network namespaces and the /proc/fs/nfs/exports interface. Avoid scenarios where a process can open /proc/fs/nfs/exports in one network namespace and keep the file descriptor open while that namespace is later destroyed. Because the flaw is in kernel lifetime management, mitigation is only partial; updating to a fixed kernel is the reliable solution.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the NFSD fix for CVE-2026-31403. The remediation is the upstream change that holds a reference to struct net for the lifetime of an open /proc/fs/nfs/exports file descriptor and releases it in exports_release(), preventing nfsd_net_exit() and nfsd_export_shutdown() from freeing the cache while the descriptor remains open. The provided context lists fixed package versions across SUSE product lines, including kernel-default >= 5.14.21-150500.55.166.1 for multiple SLES 15 SP5 products, >= 6.4.0-150600.23.112.1 for multiple SLES 15 SP6 products, >= 6.4.0-150700.53.55.1 for multiple SLES 15 SP7 products, and >= 6.12.0-160000.33.1 for SLES 16.0, SUSE Linux Micro 6.2, and openSUSE Leap 16.0 related releases.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

5 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31403
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31403
MITRE CWE · CWE-416
cwe.mitre.org
Patch
git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6
Patch
git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255
Patch
git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076
Patch
git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945
Patch
git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6
Patch
git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4
Patch
git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b