Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31446

CVE-2026-31446: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31446 is a use-after-free flaw in the Linux Kernel's ext4 filesystem that occurs during unmount operations. This post covers the technical details, affected versions, security impact, and mitigation steps.

Updated:

CVE-2026-31446 Overview

CVE-2026-31446 is a use-after-free vulnerability [CWE-416] in the Linux kernel's ext4 filesystem. The flaw exists in update_super_work and triggers when the work item races with filesystem unmount. A previous fix (commit b98535d09179) reordered teardown by moving ext4_unregister_sysfs() before flushing s_sb_upd_work, which introduced this regression. The work item calls ext4_notify_error_sysfs() -> sysfs_notify(), which dereferences the kobject's kernfs_node after kobject_del() has already freed it. A local attacker with the ability to trigger ext4 error reporting during unmount can corrupt kernel memory.

Critical Impact

Local exploitation can lead to kernel memory corruption, denial of service, or potential privilege escalation through use-after-free of a freed kernfs_node.

Affected Products

  • Linux Kernel (multiple stable branches including 5.18 and 7.0 release candidates)
  • Distributions shipping ext4 with the b98535d09179 backport
  • Systems exposing /proc/fs/ext4/<dev>/mb_groups to unprivileged readers

Discovery Timeline

  • 2026-04-22 - CVE-2026-31446 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-31446

Vulnerability Analysis

The vulnerability lives in the ext4 superblock teardown path. When ext4_put_super() runs, it calls ext4_unregister_sysfs(), which invokes kobject_del() on sbi->s_kobj. That call clears kobj->sd and releases the backing kernfs_node via sysfs_put() and an RCU-deferred kernfs_put(). Concurrently, the pending update_super_work item may still execute and call ext4_notify_error_sysfs(), which invokes sysfs_notify(&sbi->s_kobj). Inside sysfs_notify(), the code reads the now-stale kobj->sd pointer and calls kernfs_get() on freed memory.

Root Cause

The root cause is an ordering and synchronization defect between the workqueue flush and sysfs teardown. The earlier fix prevented new error work from being queued during reads of mb_groups, but it left already-queued work running against a partially destroyed kobject. No mutex serialized the state_in_sysfs state against kobject_del(). The upstream remediation adds a dedicated s_error_notify_mutex and makes ext4_notify_error_sysfs() check s_kobj.state_in_sysfs before calling sysfs_notify().

Attack Vector

Exploitation requires local access and the ability to influence ext4 to schedule error work while the filesystem is being unmounted. The CVSS vector indicates user interaction is required, consistent with triggering mount/unmount cycles or filesystem errors. A successful race produces a write to freed kernel slab memory, enabling denial of service or potential escalation when the freed object is reallocated under attacker influence.

Verified exploit code is not publicly available. See the upstream patches referenced in the vendor advisories for the precise call sequence and fix.

Detection Methods for CVE-2026-31446

Indicators of Compromise

  • Kernel oops or KASAN reports referencing use-after-free in sysfs_notify, kernfs_get, or ext4_notify_error_sysfs
  • Unexpected kernel panics during ext4 filesystem unmount operations
  • Repeated forced unmounts correlated with ext4 error injection or heavy mb_groups reads

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) on test and pre-production hosts to surface use-after-free conditions in the ext4 teardown path
  • Audit kernel logs (dmesg, journalctl -k) for stack traces involving update_super_work, ext4_notify_error_sysfs, and kernfs_node
  • Track running kernel versions against the fixed commits to identify unpatched assets at scale

Monitoring Recommendations

  • Forward kernel crash and oops events to a centralized log platform for correlation across hosts
  • Alert on repeated ext4 unmount failures or filesystem error notifications coinciding with privilege boundary crossings
  • Monitor for unexpected loading of filesystems by unprivileged users via unshare or user namespaces

How to Mitigate CVE-2026-31446

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the kernel.org commit list and rebuild affected kernels
  • Update to a distribution kernel that includes the s_error_notify_mutex fix once available from your vendor
  • Inventory hosts running affected 5.18 and 7.0-rc kernel builds and prioritize patching multi-tenant systems

Patch Information

The Linux kernel maintainers published fixes across multiple stable branches. The remediation adds a s_error_notify_mutex and a state_in_sysfs check in ext4_notify_error_sysfs() to serialize against kobject_del(). Review the patch series at Kernel commit c4d8297, Kernel commit 0340533, Kernel commit 08b10e6, Kernel commit 9449f99, Kernel commit c8fe17a, Kernel commit c97e282, and Kernel commit d15e4b0.

Workarounds

  • Restrict unprivileged access to mount and unmount operations by disabling user namespaces where not required
  • Limit read access to /proc/fs/ext4/*/mb_groups to root-only by tightening procfs permissions
  • Avoid frequent ext4 mount/unmount cycles on shared multi-tenant hosts until patches are deployed
bash
# Verify the running kernel version and check for the fixed commit
uname -r

# Restrict access to ext4 sysfs/proc entries (review impact before applying)
chmod 0400 /proc/fs/ext4/*/mb_groups

# Disable unprivileged user namespaces to reduce local attack surface
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.