{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31446","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.091Z","datePublished":"2026-04-22T13:53:42.751Z","dateUpdated":"2026-05-11T22:08:51.921Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:08:51.921Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n  update_super_work                ext4_put_super\n  -----------------                --------------\n                                   ext4_unregister_sysfs(sb)\n                                     kobject_del(&sbi->s_kobj)\n                                       __kobject_del()\n                                         sysfs_remove_dir()\n                                           kobj->sd = NULL\n                                         sysfs_put(sd)\n                                           kernfs_put()  // RCU free\n  ext4_notify_error_sysfs(sbi)\n    sysfs_notify(&sbi->s_kobj)\n      kn = kobj->sd              // stale pointer\n      kernfs_get(kn)             // UAF on freed kernfs_node\n                                   ext4_journal_destroy()\n                                     flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/ext4.h","fs/ext4/super.c","fs/ext4/sysfs.c"],"versions":[{"version":"52c3a04f9ec2a16a4204d6274db338cb8d5b2d74","lessThan":"c8fe17a1b308c3d8c703ebfb049b325f844342c3","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"c4d829737329f2290dd41e290b7d75effdb2a7ff","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"9449f99ba04f5dd1c8423ad8a90b3651d7240d1d","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"034053378dd81837fd6c7a43b37ee2e58d4f0b4e","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"08b10e6f37fc533a759e9833af0692242e8b3f93","status":"affected","versionType":"git"},{"version":"b98535d091795a79336f520b0708457aacf55c67","lessThan":"d15e4b0a418537aafa56b2cb80d44add83e83697","status":"affected","versionType":"git"},{"version":"585ef03c9e79672781f954daae730dfe24bf3a46","status":"affected","versionType":"git"},{"version":"afe490e48d47df1b3f64012835c1bc2f075a8c8b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/ext4.h","fs/ext4/super.c","fs/ext4/sysfs.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.38","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.114"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3"},{"url":"https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff"},{"url":"https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d"},{"url":"https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e"},{"url":"https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe"},{"url":"https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93"},{"url":"https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"}],"title":"ext4: fix use-after-free in update_super_work when racing with umount","x_generator":{"engine":"bippy-1.2.0"}}}}