CVE-2026-31403 | Linux Kernel up to 7.0-rc4 NFSD /proc/fs/nfs/exports exports_proc_open file descriptor consumption

VDB-355172 · CVE-2026-31403 · GCVE-0-2026-31403 LINUX KERNEL UP TO 7.0-RC4 NFSD /PROC/FS/NFS/EXPORTS EXPORTS_PROC_OPEN FILE DESCRIPTOR CONSUMPTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.5 $0-$5k 0.84 Summaryinfo A vulnerability was found in Linux Kernel up to 7.0-rc4. It has been declared as critical. This issue affects the function exports_proc_open of the file /proc/fs/nfs/exports of the component NFSD. Such manipulation leads to file descriptor consumption. This vulnerability is uniquely identified as CVE-2026-31403. No exploit exists. It is recommended to upgrade the affected component. Detailsinfo A vulnerability was found in Linux Kernel up to 7.0-rc4 and classified as critical. Affected by this issue is the function exports_proc_open of the file /proc/fs/nfs/exports of the component NFSD. The manipulation with an unknown input leads to a file descriptor consumption vulnerability. Using CWE to declare the problem leads to CWE-769. This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. Impacted is availability. CVE summarizes: In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage. The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2026-31403 since 03/09/2026. There are known technical details, but no exploit is available. Upgrading to version 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10 or 7.0-rc5 eliminates this vulnerability. Applying the patch c7f406fb341d6747634b8b1fa5461656e5e56076/d1a19217995df9c7e4118f5a2820c5032fef2945/e3d77f935639e6ae4b381c80464c31df998d61f4/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6/6a8d70e2ad6aad2c345a5048edcb8168036f97d6/e7fcf179b82d3a3730fd8615da01b087cc654d0b is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Type Operating System Vendor Linux Name Kernel Version 6.1.166 6.6.129 6.12.0 6.12.1 6.12.2 6.12.3 6.12.4 6.12.5 6.12.6 6.12.7 6.12.8 6.12.9 6.12.10 6.12.11 6.12.12 6.12.13 6.12.14 6.12.15 6.12.16 6.12.17 6.12.18 6.12.19 6.12.20 6.12.21 6.12.22 6.12.23 6.12.24 6.12.25 6.12.26 6.12.27 6.12.28 6.12.29 6.12.30 6.12.31 6.12.32 6.12.33 6.12.34 6.12.35 6.12.36 6.12.37 6.12.38 6.12.39 6.12.40 6.12.41 6.12.42 6.12.43 6.12.44 6.12.45 6.12.46 6.12.47 6.12.48 6.12.49 6.12.50 6.12.51 6.12.52 6.12.53 6.12.54 6.12.55 6.12.56 6.12.57 6.12.58 6.12.59 6.12.60 6.12.61 6.12.62 6.12.63 6.12.64 6.12.65 6.12.66 6.12.67 6.12.68 6.12.69 6.12.70 6.12.71 6.12.72 6.12.73 6.12.74 6.12.75 6.12.76 6.12.77 6.18.0 6.18.1 6.18.2 6.18.3 6.18.4 6.18.5 6.18.6 6.18.7 6.18.8 6.18.9 6.18.10 6.18.11 6.18.12 6.18.13 6.18.14 6.18.15 6.18.16 6.18.17 6.18.18 6.18.19 6.19.0 6.19.1 6.19.2 6.19.3 6.19.4 6.19.5 6.19.6 6.19.7 6.19.8 6.19.9 7.0-rc1 7.0-rc2 7.0-rc3 7.0-rc4 License open-source Website Vendor: https://www.kernel.org/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.7 VulDB Meta Temp Score: 5.5 VulDB Base Score: 5.7 VulDB Temp Score: 5.5 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: File descriptor consumption CWE: CWE-769 / CWE-400 / CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Partially Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Kernel 6.1.167/6.6.130/6.12.78/6.18.20/6.19.10/7.0-rc5 Patch: c7f406fb341d6747634b8b1fa5461656e5e56076/d1a19217995df9c7e4118f5a2820c5032fef2945/e3d77f935639e6ae4b381c80464c31df998d61f4/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6/6a8d70e2ad6aad2c345a5048edcb8168036f97d6/e7fcf179b82d3a3730fd8615da01b087cc654d0b Timelineinfo 03/09/2026 CVE reserved 04/03/2026 +24 days Advisory disclosed 04/03/2026 +0 days VulDB entry created 04/03/2026 +0 days VulDB entry last update Sourcesinfo Vendor: kernel.org Advisory: git.kernel.org Status: Confirmed CVE: CVE-2026-31403 (🔒) GCVE (CVE): GCVE-0-2026-31403 GCVE (VulDB): GCVE-100-355172 Entryinfo Created: 04/03/2026 18:18 Changes: 04/03/2026 18:18 (60) Complete: 🔍 Cache ID: 99:6DA:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸