CVE-2026-31453
Received Received - Intake
Use-After-Free Vulnerability in Linux XFS Log Item Handling

Publication date: 2026-04-22

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31453
EUVD
EUVD-2026-24792
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 5.9 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's XFS filesystem code. Specifically, after the function xfsaild_push_item() calls iop_push(), the log item it references may have been freed if the AIL (Active Item List) lock was dropped during the push operation.

Because background processes like inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, the code later dereferences this potentially freed log item in tracepoints, leading to use-after-free issues.

The fix involves capturing necessary log item details before the push call and using a new trace event class that references these captured values instead of the possibly freed log item pointer.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the Linux kernel's XFS filesystem code, which may cause system instability, crashes, or potential kernel memory corruption.

Such issues could be exploited to cause denial of service or potentially escalate privileges, depending on the context and attacker capabilities.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart