Skip to main content

Linux Kernel EUVDEUVD-2026-25479

| CVE-2026-31586 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-x7q8-xcw2-7mfg
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 20:53 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 20:45 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:31 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25479
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the pointer to access blkcg->online_pin, resulting in a use-after-free:

BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)

Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)

** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410")

I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh

(The race window is narrow. To make it easily reproducible, inject a msleep(100) between css_put() and blkcg_unpin_online() in cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.)

Fix this by moving blkcg_unpin_online() before css_put(), so the cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() accesses it.

AnalysisAI

Use-after-free in Linux kernel blk-cgroup subsystem allows local authenticated users to potentially execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in cgwb_release_workfn() when releasing cgroup writeback structures, where a CSS reference is dropped before subsequent dereference, creating a race condition. Meta reports sporadic crashes in production across multiple kernel versions. Patches available for stable branches 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's block layer cgroup (blk-cgroup) writeback mechanism, specifically in the memory management subsystem. When a cgroup writeback structure (cgwb) is released via workqueue processing, the cgwb_release_workfn() function incorrectly orders operations: it calls css_put() to drop a reference on wb->blkcg_css, then later calls blkcg_unpin_online() which dereferences the same CSS pointer to access blkcg->online_pin. If css_put() releases the last reference, the CSS free path (css_free_rwork_fn -> blkcg_css_free -> kfree) can execute asynchronously and free the blkcg structure before blkcg_unpin_online() accesses it, creating a classic use-after-free condition. The vulnerability involves kernel workqueue processing, reference counting mechanisms (refcount.h), and KASAN-detectable memory corruption. The race window is narrow under normal conditions but reproducible with artificial delays, indicating timing-dependent exploitation.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83 or later for 6.12.x branch (https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe), 6.18.24 or later for 6.18.x branch (https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839), 6.19.14 or later for 6.19.x branch (https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447), or 7.0.1 or later for 7.0.x branch (https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27). For environments unable to patch immediately, consider disabling cgroup writeback functionality if not operationally required by setting cgroup_disable=blkio kernel boot parameter, though this will prevent block I/O accounting and throttling in cgroups with operational impact on container resource management. Alternatively, disable cgroup v2 entirely via cgroup_no_v1=all if legacy cgroup v1 is sufficient, but this breaks systemd and modern container runtime dependencies. Monitor kernel logs for KASAN use-after-free alerts or cgwb_release_workfn crashes as indicators of exploitation attempts. No effective runtime mitigation exists without functional trade-offs.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy