7.8

CVE-2026-53129

fs/mbcache: cancel shrink work before destroying the cache

In the Linux kernel, the following vulnerability has been resolved:

fs/mbcache: cancel shrink work before destroying the cache

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.6 < 6.12.91
LinuxLinux Kernel Version >= 6.13 < 6.18.33
LinuxLinux Kernel Version >= 6.19 < 7.0.10
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.019
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/a88d39a74a208e197c03bffaa2df34de732af19f
Patch
https://git.kernel.org/stable/c/0e4eff315d799f5842b95872199b0f0fb8ef5f51
Patch
https://git.kernel.org/stable/c/b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c
Patch
https://git.kernel.org/stable/c/d227786ab1119669df4dc333a61510c52047cce4
Patch