Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description requires root/CAP_SYS_ADMIN so PR:H not PR:L; local unmount trigger gives AV:L, and a kernel UAF supports high C/I/A.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fs/mbcache: cancel shrink work before destroying the cache
mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first.
If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free.
This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.
Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
AnalysisAI
Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an already-privileged local user (root or CAP_SYS_ADMIN) who can trigger the last put/unmount of a mounted ext2, ext4, or ocfs2 filesystem while c_shrink_work is pending or running - the worker must have been scheduled by prior mb_cache_entry_create activity and still be active during mb_cache_destroy(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real-but-low-urgency hardening fix rather than an actively exploited threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker who has already obtained root or CAP_SYS_ADMIN (for example inside a privileged container or via a mount-capable service) repeatedly creates mbcache entries on an ext4/ext2/ocfs2 mount to keep c_shrink_work scheduled, then triggers the final unmount so mb_cache_destroy() races the still-running shrink worker. Winning the race yields a use-after-free on the freed cache object that can crash the kernel or be groomed toward controlled memory corruption. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent) - which adds cancel_work_sync() before shrinker_free() in mb_cache_destroy(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems using ext2, ext4, or ocfs2 filesystems (via 'mount' or 'df -T' commands) and assess exposure to untrusted privileged users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38997
GHSA-76p3-3v32-9xxh