CVE-2026-23224 Overview
A Use-After-Free (UAF) vulnerability has been identified in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. The vulnerability affects file-backed mounts when the directio (direct I/O) mount option is enabled, potentially leading to system crashes or kernel panics due to improper memory management during asynchronous I/O operations.
Critical Impact
This UAF vulnerability can cause kernel panics and system instability on Linux systems using EROFS with file-backed mounts and direct I/O, potentially enabling denial of service conditions.
Affected Products
- Linux Kernel with EROFS filesystem support
- Systems using EROFS file-backed mounts with directio option
- Linux distributions with vulnerable kernel versions
Discovery Timeline
- February 18, 2026 - CVE-2026-23224 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23224
Vulnerability Analysis
This vulnerability stems from a race condition in the EROFS filesystem's handling of asynchronous direct I/O operations for file-backed mounts. When the directio mount option is enabled, a timing issue occurs between the completion of an I/O request and subsequent file access operations.
The race condition manifests in the interaction between z_erofs_read_folio and the work queue s_dio_done_wq. During the asynchronous I/O submission path through erofs_fileio_rq_submit, when vfs_iocb_iter_read calls into ext4_file_read_iter and subsequently iomap_dio_rw, a bio (block I/O) is submitted and returns -EIOCBQUEUED. While this asynchronous operation completes in the work queue, the completion handler erofs_fileio_ki_complete() frees the request structure (rq) via kfree(rq). However, back in the original submission path, file_accessed() attempts to access iocb.ki_filp from the now-freed structure, resulting in a Use-After-Free condition with a NULL file pointer dereference.
Root Cause
The root cause is improper lifecycle management of the struct erofs_fileio_rq structure. The request structure containing the I/O control block (iocb) is freed prematurely by the asynchronous completion callback (erofs_fileio_ki_complete()) before the submission path finishes executing. This creates a classic UAF scenario where one execution path frees memory while another path still holds a reference to it.
Attack Vector
The vulnerability is triggered through normal filesystem operations when EROFS is mounted with file-backed storage and the directio mount option. The attack vector involves:
- Mounting an EROFS filesystem with file-backed storage and the directio option
- Triggering read operations that cause asynchronous direct I/O submission
- The race condition between I/O completion and file access creates the UAF condition
The kernel call trace shows the crash path through memory fault handling (do_mem_abort), page fault (do_page_fault), and the EROFS read path (z_erofs_read_folio -> z_erofs_runqueue -> erofs_fileio_submit_bio -> erofs_fileio_rq_submit).
Detection Methods for CVE-2026-23224
Indicators of Compromise
- Kernel panic messages containing erofs_fileio_rq_submit or erofs_fileio_ki_complete in the call trace
- System crashes when accessing files on EROFS file-backed mounts with directio enabled
- Memory fault errors (do_mem_abort, do_translation_fault) associated with EROFS operations
Detection Strategies
- Monitor kernel logs for panic traces involving EROFS filesystem functions
- Implement kernel crash dump analysis to identify UAF patterns in the EROFS I/O path
- Use kernel debugging tools like KASAN (Kernel Address Sanitizer) to detect UAF conditions
Monitoring Recommendations
- Enable kernel crash reporting and analysis for systems using EROFS
- Monitor system stability metrics for unexpected kernel panics
- Implement alerting on EROFS-related error messages in kernel logs
How to Mitigate CVE-2026-23224
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches
- Temporarily disable the directio mount option for EROFS file-backed mounts until patched
- Plan and schedule kernel updates for affected systems
Patch Information
The fix introduces a reference count mechanism in struct erofs_fileio_rq. The reference count is initialized to two, with both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() decrementing the count. Only when the reference count reaches zero does the request structure get freed, ensuring both paths have completed their operations.
Official patches are available from the Linux kernel stable tree:
Workarounds
- Remount EROFS file-backed filesystems without the directio option as a temporary mitigation
- Consider using loop-backed mounts instead of file-backed mounts with directio
- Restrict access to systems where EROFS with directio is critical until patches can be applied
# Temporary workaround: Remount EROFS without directio option
# First, unmount the affected filesystem
umount /mnt/erofs_mount
# Remount without directio option
mount -t erofs -o loop /path/to/erofs.img /mnt/erofs_mount
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
