CVE-2026-31446
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in update_super_work when racing with umount
Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs():
update_super_work ext4_put_super
ext4_unregister_sysfs(sb)
kobject_del(&sbi->s_kobj)
__kobject_del()
sysfs_remove_dir()
kobj->sd = NULL
sysfs_put(sd)
kernfs_put() // RCU free
ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)
Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 < c8fe17a1b308c3d8c703ebfb049b325f844342c3 | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < c4d829737329f2290dd41e290b7d75effdb2a7ff | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < 9449f99ba04f5dd1c8423ad8a90b3651d7240d1d | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < 034053378dd81837fd6c7a43b37ee2e58d4f0b4e | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < 08b10e6f37fc533a759e9833af0692242e8b3f93 | affected |
| Linux | Linux | b98535d091795a79336f520b0708457aacf55c67 < d15e4b0a418537aafa56b2cb80d44add83e83697 | affected |
| Linux | Linux | 585ef03c9e79672781f954daae730dfe24bf3a46 | affected |
| Linux | Linux | afe490e48d47df1b3f64012835c1bc2f075a8c8b | affected |
| Linux | Linux | 5.15.38 < 5.15.203 | affected |
| Linux | Linux | 5.10.114 < 5.11 | affected |
| Linux | Linux | 5.17.6 < 5.18 | affected |
| Linux | Linux | 5.18 | affected |
| Linux | Linux | 0 < 5.18 | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.168 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.131 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.80 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3
- https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff
- https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d
- https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e
- https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe
- https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93
- https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.