Skip to main content

Linux Kernel ext4 CVE-2026-31446

| EUVDEUVD-2026-24781 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wwvq-j7g5-3qrf
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:26 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24781
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix use-after-free in update_super_work when racing with umount

Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs():

update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)

Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.

AnalysisAI

Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. Fixed in stable kernel releases 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (7th percentile) suggests low probability of exploitation in the wild, though CVSS vector indicates straightforward local exploitation requiring user interaction.

Technical ContextAI

The ext4 filesystem's error notification mechanism uses a kobject-based sysfs interface for reporting errors. During filesystem unmount, ext4_put_super() calls ext4_unregister_sysfs() which invokes kobject_del() to remove the sysfs directory, freeing the associated kernfs_node structure via RCU. Concurrently, update_super_work() (a delayed work queue handler) may call ext4_notify_error_sysfs() which attempts sysfs_notify() on the same kobject. The race window exists between kobject_del() setting kobj->sd = NULL and the actual RCU-delayed free of the kernfs_node. When ext4_notify_error_sysfs() dereferences kobj->sd and calls kernfs_get(), it accesses freed memory. This issue was introduced by commit b98535d09179 which reordered teardown operations to prevent new error work submission via /proc/fs/ext4/xx/mb_groups. The fix adds s_error_notify_mutex serialization and checks s_kobj.state_in_sysfs before attempting sysfs_notify(), preventing TOCTOU races.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.203+ for 5.15.x series, 6.1.168+ for 6.1.x series, 6.6.131+ for 6.6.x series, 6.12.80+ for 6.12.x series, 6.18.21+ for 6.18.x series, 6.19.11+ for 6.19.x series, or 7.0+ for mainline. Patch commits are available at https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe and related stable branch commits in NVD references. For environments unable to immediately patch, potential workarounds include avoiding concurrent ext4 filesystem unmount operations during high error notification activity, though this is impractical for production systems. Disabling ext4 error notification via sysfs is not recommended as it removes critical filesystem health monitoring capabilities. Consider prioritizing systems with untrusted local users or those running kernel versions in the affected range (5.18 through unpatched 6.x/7.x). Standard kernel update procedures apply with reboot required for activation. No known side effects from applying these patches beyond normal kernel update considerations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy