CVE-2026-31403

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd

The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports proc open() captures the caller's current network namespace and stores its svc export cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd net exit() calls nfsd export shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache detail, walking a freed hash table.

Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd net exit() from running -- and thus prevents nfsd export shutdown() from freeing the cache -- while any exports fd is open. cache detail already stores its net pointer (cd->net, set by cache create net()), so exports release() can retrieve it without additional per-file storage.