Skip to main content

Linux Kernel CVE-2026-31455

| EUVDEUVD-2026-24794 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q892-7mjj-mjx9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 05, 2026 - 23:30 vuln.today
CVSS changed
May 05, 2026 - 21:22 NVD
7.8 (HIGH)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24794
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: stop reclaim before pushing AIL during unmount

The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes.

Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling m_reclaim_work because the inodegc worker can re-queue m_reclaim_work via xfs_inodegc_set_reclaimable.

AnalysisAI

Use-after-free in Linux Kernel XFS filesystem allows local authenticated users to execute arbitrary code, escalate privileges, or cause system crashes during filesystem unmount operations. The vulnerability stems from a race condition where background reclaim and inodegc processes continue running while the Active Item List (AIL) is being flushed during unmount, enabling concurrent access to freed memory structures. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% suggests very low probability of mass exploitation, and no active exploitation or public POC is identified at time of analysis.

Technical ContextAI

This vulnerability affects the XFS filesystem's unmount sequence in the Linux kernel, specifically in the xfs_unmount_flush_inodes() function. XFS uses an Active Item List (AIL) to track dirty metadata that needs to be written to disk. During normal operation, background reclaim processes free unused inodes and inodegc (inode garbage collection) workers handle deferred inode operations. The CWE-416 use-after-free condition occurs because the original unmount code pushed the AIL to flush pending operations while background reclaim and inodegc workers were still active. This creates a race where inodegc can dirty and insert new inodes into the AIL during the flush operation, while background reclaim can simultaneously abort and free those same dirty inodes, resulting in dangling pointer access. The affected code path has existed since commit 90c60e16401248a4900f3f9387f563d0178dcf34, impacting kernel versions from 5.9 through 7.0-rc3. The fix reorders the shutdown sequence to stop inodegc and cancel background reclaim before AIL manipulation, ensuring proper sequencing of cleanup operations.

RemediationAI

Update to patched Linux kernel versions: 5.10.253 or later for 5.10.x series, 5.15.203 or later for 5.15.x series, 6.1.168 or later for 6.1.x series, 6.6.131 or later for 6.6.x series, 6.12.80 or later for 6.12.x series, 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or 7.0 final release. Patches are available from official kernel.org git stable repository at https://git.kernel.org/stable/ with specific commit IDs 558e3275d8a3 (mainline), 239d734c0064 (stable), 4f24a767e3d6 (stable), 8147e304d7d3 (stable), a89434a6188d (stable), bda27fc0b4eb (stable), d38135af04a3 (stable), and e6cc490048f7 (stable). Distribution-specific kernel updates should be obtained through normal vendor channels (RHEL, Ubuntu, SUSE, Debian update mechanisms). Workaround options are limited due to the core filesystem nature of the vulnerability. Organizations unable to patch immediately could consider restricting XFS filesystem unmount capabilities to only trusted privileged users through mount namespace isolation or mandatory access controls, though this does not eliminate risk from legitimate administrative operations. Disabling XFS support entirely and migrating to alternative filesystems (ext4, btrfs) eliminates exposure but carries significant operational overhead and potential data migration risks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy