{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5"
            },
            {
              "fixed": "76740c28050dc6db2f5550f1325b00a11bbb3255"
            },
            {
              "fixed": "c7f406fb341d6747634b8b1fa5461656e5e56076"
            },
            {
              "fixed": "d1a19217995df9c7e4118f5a2820c5032fef2945"
            },
            {
              "fixed": "e3d77f935639e6ae4b381c80464c31df998d61f4"
            },
            {
              "fixed": "db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"
            },
            {
              "fixed": "6a8d70e2ad6aad2c345a5048edcb8168036f97d6"
            },
            {
              "fixed": "e7fcf179b82d3a3730fd8615da01b087cc654d0b"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "5.10.253"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "6.1.167"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.130"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.78"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.20"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31403.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.",
  "id": "CVE-2026-31403",
  "modified": "2026-07-16T03:30:50.041057079Z",
  "published": "2026-04-03T15:16:06.444Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31403.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31403"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd"
}