Skip to main content

Linux Kernel XFS CVE-2026-31453

| EUVDEUVD-2026-24792 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h88h-485v-q9qv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:28 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24792
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: avoid dereferencing log items after push callbacks

After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns.

Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.

AnalysisAI

Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

The XFS filesystem's Active Item List (AIL) is a kernel data structure tracking log items requiring writeback to disk. The xfsaild_push_item() function processes these items by calling their iop_push() callbacks, but releases the AIL lock during processing to avoid lock contention. This creates a race condition where background kernel threads (inode reclaim or dquot shrinker) can free log items while the AIL lock is dropped. When xfsaild_push_item() subsequently accesses the log item pointer for tracepoint instrumentation in its switch statement, it dereferences freed memory. This is a classic use-after-free vulnerability (CWE-416 class) where the lifetime of a data structure is not properly synchronized with concurrent access. The fix preemptively captures log item metadata (type, flags, LSN) before the push callback and uses these cached values in a new trace event class, eliminating the post-callback pointer dereference entirely. This affects XFS-specific code paths and requires local access to trigger filesystem operations that exercise the AIL push mechanism.

RemediationAI

Apply vendor-released kernel updates to patched versions: upgrade to kernel 6.1.168 or later for 6.1.x series, 6.6.131+ for 6.6.x, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline. Patches are available from kernel.org git stable tree at https://git.kernel.org/stable/ with specific commits listed in references. For systems unable to immediately patch, compensating controls include restricting local user access to trusted administrators only (reducing PR:L attack prerequisite), disabling XFS filesystem usage by migrating to ext4 or other filesystems (eliminates vulnerable code path entirely but requires significant effort and downtime), or implementing kernel live-patching solutions like KernelCare or kpatch for zero-downtime updates. Note that filesystem migration is operationally complex and may impact performance characteristics. SELinux or AppArmor mandatory access controls do not mitigate this kernel-level memory safety issue. Prioritize patching for multi-tenant systems, containerized environments, and systems with untrusted local users over single-user workstations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy