What is the CVSS score of CVE-2026-31446?

CVE-2026-31446 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel ext4 are affected by CVE-2026-31446?

A use-after-free vulnerability in the Linux kernel ext4 filesystem (CVE-2026-31446) allows local attackers to execute arbitrary code or crash systems during filesystem unmount operations.. A patch is available.

Linux Kernel ext4 CVE-2026-31446

EUVD-2026-24781 HIGH

Use After Free (CWE-416)

2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67

GHSA-wwvq-j7g5-3qrf

Information Disclosure Linux Use After Free Memory Corruption

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 27, 2026 - 14:26 vuln.today

CVSS changed

Apr 27, 2026 - 14:22 NVD

7.8 (HIGH)

Patch released

Apr 27, 2026 - 14:16 nvd

Patch available

Apr 22, 2026 - 16:02 EUVD

EUVD ID Assigned

Apr 22, 2026 - 14:22 euvd

EUVD-2026-24781

Analysis Generated

Apr 22, 2026 - 14:22 vuln.today

CVE Published

Apr 22, 2026 - 14:16 nvd

HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix use-after-free in update_super_work when racing with umount

Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs():

update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)

Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.

AnalysisAI

Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. …

RemediationAI

Within 24 hours: Identify all Linux systems running kernel versions prior to 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0 using uname -r inventory scans. Within 7 days: Test kernel patches in non-production environments matching your distribution's stable release (e.g., RHEL 8.x→6.1.168, RHEL 9.x→6.6.131). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-47334 MEDIUM This Month

5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect

CVE-2026-47335 MEDIUM This Month

5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic

CVE-2026-47327 LOW Monitor

3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th

CVE-2026-47337 LOW Monitor

3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local

CVE-2026-45844 Monitor

May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

CVE-2026-31446 vulnerability details – vuln.today

Back

Linux Kernel ext4 CVE-2026-31446

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code