{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31446", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.091Z", "datePublished": "2026-04-22T13:53:42.751Z", "dateUpdated": "2026-04-22T13:53:42.751Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:42.751Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(&sbi->s_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj->sd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(&sbi->s_kobj)\n kn = kobj->sd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/ext4.h", "fs/ext4/super.c", "fs/ext4/sysfs.c"], "versions": [{"version": "52c3a04f9ec2a16a4204d6274db338cb8d5b2d74", "lessThan": "c8fe17a1b308c3d8c703ebfb049b325f844342c3", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "c4d829737329f2290dd41e290b7d75effdb2a7ff", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "9449f99ba04f5dd1c8423ad8a90b3651d7240d1d", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "034053378dd81837fd6c7a43b37ee2e58d4f0b4e", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "08b10e6f37fc533a759e9833af0692242e8b3f93", "status": "affected", "versionType": "git"}, {"version": "b98535d091795a79336f520b0708457aacf55c67", "lessThan": "d15e4b0a418537aafa56b2cb80d44add83e83697", "status": "affected", "versionType": "git"}, {"version": "585ef03c9e79672781f954daae730dfe24bf3a46", "status": "affected", "versionType": "git"}, {"version": "afe490e48d47df1b3f64012835c1bc2f075a8c8b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/ext4.h", "fs/ext4/super.c", "fs/ext4/sysfs.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.38", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.114"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3"}, {"url": "https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff"}, {"url": "https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d"}, {"url": "https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e"}, {"url": "https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe"}, {"url": "https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93"}, {"url": "https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"}], "title": "ext4: fix use-after-free in update_super_work when racing with umount", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(&sbi->s_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj->sd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(&sbi->s_kobj)\n kn = kobj->sd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."}], "id": "CVE-2026-31446", "lastModified": "2026-04-22T14:16:38.340", "metrics": {}, "published": "2026-04-22T14:16:38.340", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[52c3a04f9ec2a16a4204d6274db338cb8d5b2d74,c8fe17a1b308c3d8c703ebfb049b325f844342c3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,c4d829737329f2290dd41e290b7d75effdb2a7ff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,9449f99ba04f5dd1c8423ad8a90b3651d7240d1d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,034053378dd81837fd6c7a43b37ee2e58d4f0b4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,08b10e6f37fc533a759e9833af0692242e8b3f93)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b98535d091795a79336f520b0708457aacf55c67,d15e4b0a418537aafa56b2cb80d44add83e83697)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "585ef03c9e79672781f954daae730dfe24bf3a46"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "afe490e48d47df1b3f64012835c1bc2f075a8c8b"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T19:12:07.325647+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the ext4 use\u2011after\u2011free fix; this is the official solution offered by the kernel developers.", "Reboot the system after installing the patched kernel to ensure the new image is active. ", "When operating critical filesystems, avoid performing unmount operations during periods of high error activity; schedule maintenance windows to mitigate the race condition."], "summary": {"action": "Immediate Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel deployments that use the ext4 filesystem and have not yet incorporated the fix are affected. No specific version ranges are listed in the advisory, but the issue was addressed in a recent kernel commit, so all older kernel releases prior to that commit remain vulnerable.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free in the ext4 filesystem driver that can occur when an unmount races with a background \"update_super_work\" job. The faulty race allows the kernel to dereference a freed kobject, potentially corrupting memory and resulting in a crash or, in the worst case, an elevation of privilege or arbitrary code execution within the kernel. This weakness is identified as CWE\u2011416.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable, so the likelihood of exploitation cannot be quantified from the available data. The flaw is a kernel\u2011level use\u2011after\u2011free, which grants an attacker the potential for high impact if successfully exploited. The attack vector requires a local race condition between unmounting an ext4 filesystem and the background update job, so remote exploitation is unlikely without additional context. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits as of this analysis."}}}}, "created": "2026-04-22T16:45:21.255464+00:00", "updated": "2026-04-22T19:15:24.484060+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}