PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31404 Linux CVE debrief

CVE-2026-31404 is a Linux kernel NFSD memory-safety issue in export and expkey cleanup. The problem is that svc_export_put() could drop path_put() and auth_domain_put() immediately when the last reference vanished, even though RCU readers in e_show() and c_show() may still be accessing ex_path and ex_client->name. If cache_clean removed the entry at the wrong time, those sub-objects could be freed while still in use, leading to a NULL pointer dereference in d_path and related use-after-free behavior. The fix defers the cleanup until after the RCU grace period using queue_rcu_work(), moves the sleeping releases into process context, and adds a dedicated workqueue plus shutdown synchronization so export cleanup completes safely before cache teardown.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and administrators running NFSD/NFS server workloads on affected kernels should care most. Because NVD rates this as a local attack with low privileges, systems that allow local user access on hosts running NFSD deserve priority review.

Technical summary

The vulnerability is a race in NFSD export lifetime management. svc_export_put() and expkey_put() released sub-objects such as ex_path, ex_client->name, ek_path, and ek_client too early, before the RCU grace period finished. Meanwhile, seq_file readers in e_show() and c_show() could still dereference those fields without holding a separate reference. The supplied fix replaces direct call_rcu()/kfree_rcu-style cleanup with queue_rcu_work(), which defers the callback until after the grace period and runs it in process context where path_put() and auth_domain_put() are allowed to sleep. A dedicated workqueue is used so nfsd_export_shutdown() can rcu_barrier() and flush only the NFSD export release work, avoiding unrelated system-wide workqueue stalls. NVD lists affected Linux kernel ranges including 6.14 through 6.18.20, 6.19 through 6.19.10, and 7.0 release candidates rc1 through rc4.

Defensive priority

High — this is a kernel memory-safety issue in NFSD export handling with high confidentiality, integrity, and availability impact, even though the attack vector is local and requires low privileges.

Recommended defensive actions

  • Apply the kernel fixes referenced in the supplied patch links for CVE-2026-31404.
  • Prioritize hosts that run NFSD or provide NFS server functionality, especially if they fall within the affected kernel ranges listed by NVD.
  • Verify whether your deployed kernel versions match the affected CPE ranges in NVD and plan remediation for any in-scope systems.
  • After patching, confirm the fixed export cleanup path is present in your vendor kernel build and that NFSD services are running the updated kernel.
  • Monitor affected servers for kernel crash symptoms or unexpected NULL pointer dereference reports until remediation is complete.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record, and the referenced kernel patch links. The CVE was published on 2026-04-03 and last modified on 2026-05-20. NVD classifies the issue as CVSS 7.8 HIGH with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-476. The supplied description explicitly identifies the race in NFSD export cleanup and the move to queue_rcu_work() as the corrective approach.

Official resources

Publicly disclosed in the CVE record on 2026-04-03T16:16:39.643Z and updated in NVD metadata on 2026-05-20T12:03:39.440Z.