7.8
CVE-2026-53129
- EPSS 0.12%
- Veröffentlicht 24.06.2026 16:30:56
- Zuletzt bearbeitet 06.07.2026 15:27:39
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fs/mbcache: cancel shrink work before destroying the cache
In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.6 < 6.12.91
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.33
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.10
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.019 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/a88d39a74a208e197c03bffaa2df34de732af19f
https://git.kernel.org/stable/c/0e4eff315d799f5842b95872199b0f0fb8ef5f51
https://git.kernel.org/stable/c/b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c
https://git.kernel.org/stable/c/d227786ab1119669df4dc333a61510c52047cce4