CVE-2026-31454
Use-After-Free in Linux Kernel XFS Log Item Handling
Publication date: 2026-04-22
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.168 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.131 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.9 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's XFS filesystem code. Specifically, in the functions xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), a lock called the AIL lock is dropped to perform buffer IO operations. After dropping this lock, the log item that was protected by the buffer may be freed by background processes. However, the code later attempts to access a pointer (li_ailp) that may have already been freed, leading to a use-after-free condition.
The issue is fixed by saving the pointer to the AIL (ailp) in a local variable while the AIL lock is still held, ensuring the log item remains valid during access and preventing the use-after-free.
How can this vulnerability impact me? :
This vulnerability can lead to a use-after-free condition in the Linux kernel's XFS filesystem code. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is resolved by a fix in the Linux kernel that saves the ailp pointer in a local variable while the AIL lock is held, preventing use-after-free errors. To mitigate this vulnerability immediately, you should update your Linux kernel to the latest version that includes this fix.