{"api_version":"1","generated_at":"2026-04-26T00:11:47+00:00","cve":"CVE-2026-31404","urls":{"html":"https://cve.report/CVE-2026-31404","api":"https://cve.report/api/cve/CVE-2026-31404.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31404","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31404"},"summary":{"title":"NFSD: Defer sub-object cleanup in export put callbacks","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client->name (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec (\"nfsd: fix UAF when access ex_uuid or\nex_stats\") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton <jlayton@kernel.org>","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-03 16:16:39","updated_at":"2026-04-07 13:20:55"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2","name":"https://git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d","name":"https://git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29","name":"https://git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31404","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31404","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c224edca7af028828e2ad866b61d731b5e72b46d 2829e80d29b627886d12b5ea40856d56b516e67d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c224edca7af028828e2ad866b61d731b5e72b46d f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c224edca7af028828e2ad866b61d731b5e72b46d 48db892356d6cb80f6942885545de4a6dd8d2a29 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.14","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.10 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0-rc5 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31404","cve":"CVE-2026-31404","epss":"0.000170000","percentile":"0.039750000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/nfsd/export.c","fs/nfsd/export.h","fs/nfsd/nfsctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"2829e80d29b627886d12b5ea40856d56b516e67d","status":"affected","version":"c224edca7af028828e2ad866b61d731b5e72b46d","versionType":"git"},{"lessThan":"f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2","status":"affected","version":"c224edca7af028828e2ad866b61d731b5e72b46d","versionType":"git"},{"lessThan":"48db892356d6cb80f6942885545de4a6dd8d2a29","status":"affected","version":"c224edca7af028828e2ad866b61d731b5e72b46d","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/nfsd/export.c","fs/nfsd/export.h","fs/nfsd/nfsctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.14"},{"lessThan":"6.14","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0-rc5","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.10","versionStartIncluding":"6.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0-rc5","versionStartIncluding":"6.14","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client->name (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec (\"nfsd: fix UAF when access ex_uuid or\nex_stats\") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton <jlayton@kernel.org>"}],"providerMetadata":{"dateUpdated":"2026-04-03T15:16:07.207Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d"},{"url":"https://git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2"},{"url":"https://git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29"}],"title":"NFSD: Defer sub-object cleanup in export put callbacks","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31404","datePublished":"2026-04-03T15:16:07.207Z","dateReserved":"2026-03-09T15:48:24.086Z","dateUpdated":"2026-04-03T15:16:07.207Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-03 16:16:39","lastModifiedDate":"2026-04-07 13:20:55","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31404","Ordinal":"1","Title":"NFSD: Defer sub-object cleanup in export put callbacks","CVE":"CVE-2026-31404","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31404","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client->name (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec (\"nfsd: fix UAF when access ex_uuid or\nex_stats\") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton <jlayton@kernel.org>","Type":"Description","Title":"NFSD: Defer sub-object cleanup in export put callbacks"}]}}}