Skip to main content

Linux Kernel EUVDEUVD-2026-38997

| CVE-2026-53129 HIGH
Use After Free (CWE-416)
2026-06-24 Linux GHSA-76p3-3v32-9xxh
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

Description requires root/CAP_SYS_ADMIN so PR:H not PR:L; local unmount trigger gives AV:L, and a kernel UAF supports high C/I/A.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 15:38 vuln.today
CVSS changed
Jul 06, 2026 - 15:37 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 nvd
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/mbcache: cancel shrink work before destroying the cache

mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.

AnalysisAI

Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain root/CAP_SYS_ADMIN locally
Delivery
Populate mbcache entries on ext4 mount
Exploit
Keep c_shrink_work scheduled
Install
Trigger final filesystem unmount
C2
Race worker against mb_cache_destroy
Execute
Use-after-free on freed cache
Impact
Kernel corruption or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires an already-privileged local user (root or CAP_SYS_ADMIN) who can trigger the last put/unmount of a mounted ext2, ext4, or ocfs2 filesystem while c_shrink_work is pending or running - the worker must have been scheduled by prior mb_cache_entry_create activity and still be active during mb_cache_destroy(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real-but-low-urgency hardening fix rather than an actively exploited threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker who has already obtained root or CAP_SYS_ADMIN (for example inside a privileged container or via a mount-capable service) repeatedly creates mbcache entries on an ext4/ext2/ocfs2 mount to keep c_shrink_work scheduled, then triggers the final unmount so mb_cache_destroy() races the still-running shrink worker. Winning the race yields a use-after-free on the freed cache object that can crash the kernel or be groomed toward controlled memory corruption. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported equivalent) - which adds cancel_work_sync() before shrinker_free() in mb_cache_destroy(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems using ext2, ext4, or ocfs2 filesystems (via 'mount' or 'df -T' commands) and assess exposure to untrusted privileged users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy