Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-privilege attacker needs mount/unmount ability (PR:L) and must win a tight teardown race (AC:H); the UAF yields full C/I/A impact within the kernel (S:U).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix use-after-free on sbi->sync_decompress
z_erofs_decompress_kickoff() can race with filesystem unmount, causing a use-after-free on sbi->sync_decompress.
When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff() to queue z_erofs_decompressqueue_work() asynchronously. Then, after all folios are unlocked, unmount workflow can proceed and sbi will be freed before accessing to sbi->sync_decompress.
Thread (unmount) I/O completion kworker queue_work z_erofs_decompressqueue_work (all folios are unlocked) cleanup_mnt .. erofs_kill_sb erofs_sb_free kfree(sbi) access sbi->sync_decompress // UAF!!
AnalysisAI
Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with the ability to drive the EROFS compressed-read path and then unmount that filesystem, so the attacker must be able to mount/read/unmount an EROFS volume - plausible via removable media, loopback images, or container mount namespaces that expose EROFS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a genuine but not urgent memory-corruption bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker able to mount and unmount an EROFS filesystem (for example via a crafted compressed image on removable media or inside a permissive container) issues reads that queue asynchronous decompression work, then races an unmount to free the superblock while the kworker still accesses sbi->sync_decompress. Hitting the window frees and reuses kernel memory, causing corruption that can crash the system or, with heap grooming, potentially escalate privileges. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) - or apply the corresponding stable commits (00bf6868, 1aee05e8, 86ab00cf, 95caf60d) from https://git.kernel.org/stable/ that correct the sbi lifetime handling around z_erofs_decompress_kickoff(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Linux systems to identify EROFS filesystem deployment and current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39223
GHSA-pc3h-m9mc-v77g