CVE-2026-31446
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux ext4 sysfs Notification During Unmount

Publication date: 2026-04-22

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31446
EUVD
EUVD-2026-24781
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.18
linux linux_kernel 5.18
linux linux_kernel 5.18
linux linux_kernel 5.18
linux linux_kernel 5.18
linux linux_kernel 5.18
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 5.10.114 (inc) to 5.11 (exc)
linux linux_kernel From 5.15.38 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.17.6 (inc) to 5.18 (exc)
linux linux_kernel From 5.18.1 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the kernel, such as system crashes, memory corruption, or potential escalation of privileges if exploited. Because it involves accessing freed memory, it could be leveraged by an attacker to execute arbitrary code within the kernel context or cause denial of service by crashing the system.

Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's ext4 filesystem code. It occurs during the unmount process when the system tries to update the superblock work while racing with the unmount operation. Specifically, a function called update_super_work calls ext4_notify_error_sysfs(), which in turn calls sysfs_notify() that accesses a kernel object (kobject) that has already been freed. This happens because ext4_unregister_sysfs() deletes the kobject before the notification, leading to a stale pointer dereference and use-after-free condition.

The fix involves adding a check in ext4_notify_error_sysfs() to detect if the sysfs has already been torn down and skipping the notification call if so. Additionally, a mutex is used to serialize access and prevent race conditions where the kobject could be deleted between the check and the notification call.

Mitigation Strategies

This vulnerability is a use-after-free bug in the ext4 filesystem code of the Linux kernel related to unmount operations. To mitigate this vulnerability, the best immediate step is to update your Linux kernel to a version that includes the fix described.

The fix involves changes to the ext4_notify_error_sysfs() function to avoid accessing freed memory during unmount, so applying the patch or upgrading to a kernel version released after 2026-04-22 that contains this fix will prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart