Skip to main content

Linux Kernel EUVDEUVD-2026-24793

| CVE-2026-31454 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r4xh-pf27-fwp5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:28 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24793
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: save ailp before dropping the AIL lock in push callbacks

In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free.

Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid.

AnalysisAI

Use-after-free in Linux Kernel XFS file system allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability affects XFS implementations from kernel 5.9 onward due to improper handling of Active Item List (AIL) pointers when performing buffer I/O in inode and quota push callbacks. With EPSS exploitation probability at 0.02% and no confirmed active exploitation, this represents a moderate real-world risk limited by local access requirements and low attack complexity. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0).

Technical ContextAI

This vulnerability exists in the XFS filesystem's Active Item List (AIL) management code, specifically in the push callback functions (xfs_inode_item_push and xfs_qm_dquot_logitem_push). The AIL is XFS's mechanism for tracking dirty metadata items that need to be written to disk. When these push callbacks drop the AIL spinlock to perform buffer I/O operations, they create a window where background reclaim processes or the dquot shrinker can free the log item structure. The subsequent code attempts to reacquire the lock by dereferencing lip->li_ailp (the AIL pointer stored in the freed log item), resulting in a classic use-after-free condition. This race condition was introduced in commit 90c60e16401248a4900f3f9387f563d0178dcf34 and affects all XFS-enabled kernels from version 5.9 onwards. The vulnerability stems from insufficient lifetime management of kernel heap objects during concurrent access scenarios typical in filesystem metadata operations.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253+ for 5.10.x branch, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.131+ for 6.6.x, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline. Patches available from distribution vendors (Red Hat, Ubuntu, SUSE, Debian) through standard update channels. For systems unable to immediately patch, migrate critical data from XFS filesystems to ext4 or btrfs as a temporary workaround, though this involves downtime and operational complexity. Alternatively, restrict local user access on systems running XFS to trusted administrators only, reducing attack surface but not eliminating risk. Kernel live-patching solutions (kpatch, kGraft, Livepatch) can apply fixes without reboot for supported distributions. No configuration changes or XFS mount options mitigate this vulnerability - only code-level patching resolves the race condition. Verify patch application by checking kernel version with 'uname -r' and confirming fix commit presence with 'git log' on kernel source trees.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy