7.8
CVE-2026-31446
- EPSS 0.13%
- Veröffentlicht 22.04.2026 14:16:38
- Zuletzt bearbeitet 07.05.2026 19:21:44
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ext4: fix use-after-free in update_super_work when racing with umount
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in update_super_work when racing with umount
Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount
filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work
to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups
reads during unmount. However, this introduced a use-after-free because
update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which
accesses the kobject's kernfs_node after it has been freed by kobject_del()
in ext4_unregister_sysfs():
update_super_work ext4_put_super
----------------- --------------
ext4_unregister_sysfs(sb)
kobject_del(&sbi->s_kobj)
__kobject_del()
sysfs_remove_dir()
kobj->sd = NULL
sysfs_put(sd)
kernfs_put() // RCU free
ext4_notify_error_sysfs(sbi)
sysfs_notify(&sbi->s_kobj)
kn = kobj->sd // stale pointer
kernfs_get(kn) // UAF on freed kernfs_node
ext4_journal_destroy()
flush_work(&sbi->s_sb_upd_work)
Instead of reordering the teardown sequence, fix this by making
ext4_notify_error_sysfs() detect that sysfs has already been torn down
by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call
in that case. A dedicated mutex (s_error_notify_mutex) serializes
ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()
to prevent TOCTOU races where the kobject could be deleted between the
state_in_sysfs check and the sysfs_notify() call.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.10.114 < 5.11
Linux ≫ Linux Kernel Version >= 5.15.38 < 5.15.203
Linux ≫ Linux Kernel Version >= 5.17.6 < 5.18
Linux ≫ Linux Kernel Version >= 5.18.1 < 6.1.168
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.131
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11
Linux ≫ Linux Kernel Version5.18 Update-
Linux ≫ Linux Kernel Version5.18 Updaterc4
Linux ≫ Linux Kernel Version5.18 Updaterc5
Linux ≫ Linux Kernel Version5.18 Updaterc6
Linux ≫ Linux Kernel Version5.18 Updaterc7
Linux ≫ Linux Kernel Version5.18 Updaterc9
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
Linux ≫ Linux Kernel Version7.0 Updaterc5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.03 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e
https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93
https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d
https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff
https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3
https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe
https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697