Race Condition Affecting kernel-devel-matched package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS10-KERNELDEVELMATCHED-15901022
- published5 Apr 2026
- disclosed3 Apr 2026
Introduced: 3 Apr 2026
NewCVE-2026-31404 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 kernel-devel-matched.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-devel-matched package and not the kernel-devel-matched package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Defer sub-object cleanup in export put callbacks
svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path.
Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context.
Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client.
A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed.
Reviwed-by: Jeff Layton <jlayton@kernel.org>
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2454860
- https://access.redhat.com/security/cve/CVE-2026-31404
- https://git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d
- https://git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29
- https://git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2