CVE-2026-31446
Received Received - Intake
Use-After-Free in Linux ext4 sysfs Notification During Unmount

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31446
EUVD
EUVD-2026-24781
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This use-after-free vulnerability can lead to undefined behavior in the kernel, such as system crashes, memory corruption, or potential escalation of privileges if exploited. Because it involves accessing freed memory, it could be leveraged by an attacker to execute arbitrary code within the kernel context or cause denial of service by crashing the system.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's ext4 filesystem code. It occurs during the unmount process when the system tries to update the superblock work while racing with the unmount operation. Specifically, a function called update_super_work calls ext4_notify_error_sysfs(), which in turn calls sysfs_notify() that accesses a kernel object (kobject) that has already been freed. This happens because ext4_unregister_sysfs() deletes the kobject before the notification, leading to a stale pointer dereference and use-after-free condition.

The fix involves adding a check in ext4_notify_error_sysfs() to detect if the sysfs has already been torn down and skipping the notification call if so. Additionally, a mutex is used to serialize access and prevent race conditions where the kobject could be deleted between the check and the notification call.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability is a use-after-free bug in the ext4 filesystem code of the Linux kernel related to unmount operations. To mitigate this vulnerability, the best immediate step is to update your Linux kernel to a version that includes the fix described.

The fix involves changes to the ext4_notify_error_sysfs() function to avoid accessing freed memory during unmount, so applying the patch or upgrading to a kernel version released after 2026-04-22 that contains this fix will prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart