CVE-2026-31403

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd<br /> <br /> The /proc/fs/nfs/exports proc entry is created at module init<br /> and persists for the module&amp;#39;s lifetime. exports_proc_open()<br /> captures the caller&amp;#39;s current network namespace and stores<br /> its svc_export_cache in seq-&gt;private, but takes no reference<br /> on the namespace. If the namespace is subsequently torn down<br /> (e.g. container destruction after the opener does setns() to a<br /> different namespace), nfsd_net_exit() calls nfsd_export_shutdown()<br /> which frees the cache. Subsequent reads on the still-open fd<br /> dereference the freed cache_detail, walking a freed hash table.<br /> <br /> Hold a reference on the struct net for the lifetime of the open<br /> file descriptor. This prevents nfsd_net_exit() from running --<br /> and thus prevents nfsd_export_shutdown() from freeing the cache<br /> -- while any exports fd is open. cache_detail already stores<br /> its net pointer (cd-&gt;net, set by cache_create_net()), so<br /> exports_release() can retrieve it without additional per-file<br /> storage.