CVE-2026-31446 Overview
CVE-2026-31446 is a use-after-free vulnerability [CWE-416] in the Linux kernel's ext4 filesystem. The flaw exists in update_super_work and triggers when the work item races with filesystem unmount. A previous fix (commit b98535d09179) reordered teardown by moving ext4_unregister_sysfs() before flushing s_sb_upd_work, which introduced this regression. The work item calls ext4_notify_error_sysfs() -> sysfs_notify(), which dereferences the kobject's kernfs_node after kobject_del() has already freed it. A local attacker with the ability to trigger ext4 error reporting during unmount can corrupt kernel memory.
Critical Impact
Local exploitation can lead to kernel memory corruption, denial of service, or potential privilege escalation through use-after-free of a freed kernfs_node.
Affected Products
- Linux Kernel (multiple stable branches including 5.18 and 7.0 release candidates)
- Distributions shipping ext4 with the b98535d09179 backport
- Systems exposing /proc/fs/ext4/<dev>/mb_groups to unprivileged readers
Discovery Timeline
- 2026-04-22 - CVE-2026-31446 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31446
Vulnerability Analysis
The vulnerability lives in the ext4 superblock teardown path. When ext4_put_super() runs, it calls ext4_unregister_sysfs(), which invokes kobject_del() on sbi->s_kobj. That call clears kobj->sd and releases the backing kernfs_node via sysfs_put() and an RCU-deferred kernfs_put(). Concurrently, the pending update_super_work item may still execute and call ext4_notify_error_sysfs(), which invokes sysfs_notify(&sbi->s_kobj). Inside sysfs_notify(), the code reads the now-stale kobj->sd pointer and calls kernfs_get() on freed memory.
Root Cause
The root cause is an ordering and synchronization defect between the workqueue flush and sysfs teardown. The earlier fix prevented new error work from being queued during reads of mb_groups, but it left already-queued work running against a partially destroyed kobject. No mutex serialized the state_in_sysfs state against kobject_del(). The upstream remediation adds a dedicated s_error_notify_mutex and makes ext4_notify_error_sysfs() check s_kobj.state_in_sysfs before calling sysfs_notify().
Attack Vector
Exploitation requires local access and the ability to influence ext4 to schedule error work while the filesystem is being unmounted. The CVSS vector indicates user interaction is required, consistent with triggering mount/unmount cycles or filesystem errors. A successful race produces a write to freed kernel slab memory, enabling denial of service or potential escalation when the freed object is reallocated under attacker influence.
Verified exploit code is not publicly available. See the upstream patches referenced in the vendor advisories for the precise call sequence and fix.
Detection Methods for CVE-2026-31446
Indicators of Compromise
- Kernel oops or KASAN reports referencing use-after-free in sysfs_notify, kernfs_get, or ext4_notify_error_sysfs
- Unexpected kernel panics during ext4 filesystem unmount operations
- Repeated forced unmounts correlated with ext4 error injection or heavy mb_groups reads
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test and pre-production hosts to surface use-after-free conditions in the ext4 teardown path
- Audit kernel logs (dmesg, journalctl -k) for stack traces involving update_super_work, ext4_notify_error_sysfs, and kernfs_node
- Track running kernel versions against the fixed commits to identify unpatched assets at scale
Monitoring Recommendations
- Forward kernel crash and oops events to a centralized log platform for correlation across hosts
- Alert on repeated ext4 unmount failures or filesystem error notifications coinciding with privilege boundary crossings
- Monitor for unexpected loading of filesystems by unprivileged users via unshare or user namespaces
How to Mitigate CVE-2026-31446
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org commit list and rebuild affected kernels
- Update to a distribution kernel that includes the s_error_notify_mutex fix once available from your vendor
- Inventory hosts running affected 5.18 and 7.0-rc kernel builds and prioritize patching multi-tenant systems
Patch Information
The Linux kernel maintainers published fixes across multiple stable branches. The remediation adds a s_error_notify_mutex and a state_in_sysfs check in ext4_notify_error_sysfs() to serialize against kobject_del(). Review the patch series at Kernel commit c4d8297, Kernel commit 0340533, Kernel commit 08b10e6, Kernel commit 9449f99, Kernel commit c8fe17a, Kernel commit c97e282, and Kernel commit d15e4b0.
Workarounds
- Restrict unprivileged access to mount and unmount operations by disabling user namespaces where not required
- Limit read access to /proc/fs/ext4/*/mb_groups to root-only by tightening procfs permissions
- Avoid frequent ext4 mount/unmount cycles on shared multi-tenant hosts until patches are deployed
# Verify the running kernel version and check for the fixed commit
uname -r
# Restrict access to ext4 sysfs/proc entries (review impact before applying)
chmod 0400 /proc/fs/ext4/*/mb_groups
# Disable unprivileged user namespaces to reduce local attack surface
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

