{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-22995","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.938Z","datePublished":"2026-01-23T15:24:15.684Z","dateUpdated":"2026-05-11T21:57:58.095Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:57:58.095Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix use-after-free in ublk_partition_scan_work\n\nA race condition exists between the async partition scan work and device\nteardown that can lead to a use-after-free of ub->ub_disk:\n\n1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()\n2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:\n   - del_gendisk(ub->ub_disk)\n   - ublk_detach_disk() sets ub->ub_disk = NULL\n   - put_disk() which may free the disk\n3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk\n   leading to UAF\n\nFix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold\na reference to the disk during the partition scan. The spinlock in\nublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker\neither gets a valid reference or sees NULL and exits early.\n\nAlso change flush_work() to cancel_work_sync() to avoid running the\npartition scan work unnecessarily when the disk is already detached."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/block/ublk_drv.c"],"versions":[{"version":"63dfbcd59b4b823eac4441efff10b1c303c8f49f","lessThan":"72e28774e9644c2bdbb4920842fbf77103a15a85","status":"affected","versionType":"git"},{"version":"7fc4da6a304bdcd3de14fc946dc2c19437a9cc5a","lessThan":"f0d385f6689f37a2828c686fb279121df006b4cb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/block/ublk_drv.c"],"versions":[{"version":"6.18.4","lessThan":"6.18.6","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.4","versionEndExcluding":"6.18.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85"},{"url":"https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb"}],"title":"ublk: fix use-after-free in ublk_partition_scan_work","x_generator":{"engine":"bippy-1.2.0"}}}}