CVE-2026-53272 Overview
CVE-2026-53272 is a use-after-free vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. The flaw exists in the z_erofs_decompress_kickoff() function, which can race with filesystem unmount operations. When I/O completion triggers asynchronous decompression work, the unmount path can free the superblock info (sbi) before the worker thread accesses sbi->sync_decompress. The kernel maintainers have resolved the issue through upstream commits to the stable tree.
Critical Impact
A race condition between EROFS I/O completion and filesystem unmount can lead to kernel memory corruption through use-after-free on sbi->sync_decompress, potentially resulting in kernel crash or privilege escalation.
Affected Products
- Linux Kernel (EROFS filesystem subsystem)
- Stable branches addressed by commits 00bf6868df65, 1aee05e814d2, 86ab00cf81d4, and 95caf60da33d
- Distributions shipping vulnerable EROFS-enabled kernels
Discovery Timeline
- 2026-06-25 - CVE-2026-53272 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53272
Vulnerability Analysis
The vulnerability resides in EROFS decompression handling. When read I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff() to queue z_erofs_decompressqueue_work() for asynchronous execution. The kickoff path unlocks all folios before the worker actually runs. This unlock allows pending unmount operations to proceed concurrently. The unmount flow then reaches erofs_kill_sb(), which calls erofs_sb_free() and executes kfree(sbi) on the superblock info structure. When the deferred worker subsequently dereferences sbi->sync_decompress, it accesses freed kernel memory. This is a classic use-after-free [CWE-416] caused by missing synchronization between the asynchronous decompression workqueue and the superblock lifecycle.
Root Cause
The root cause is the absence of a reference or lifetime guarantee on the EROFS superblock info from the time folios are unlocked until the asynchronous decompression worker completes. The unmount workflow assumes outstanding I/O is finished once folios are unlocked, but the queued workqueue item still requires access to sbi. Without a refcount or wait barrier, the unmount path races ahead and frees the structure while a worker is still scheduled.
Attack Vector
Triggering the race requires inducing I/O completion on an EROFS-mounted filesystem followed by a rapid unmount. A local attacker capable of mounting EROFS images or controlling EROFS-backed containers can drive the race window. Successful exploitation produces kernel memory corruption. Depending on memory reuse, the outcome ranges from kernel panic and denial of service to potential elevation of privilege through controlled freed-object reuse. The flaw is not network reachable and requires local activity on an affected host.
No public proof-of-concept code has been released. Refer to the upstream kernel commits for the precise patch logic: kernel.org commit 00bf6868df65 and kernel.org commit 1aee05e814d2.
Detection Methods for CVE-2026-53272
Indicators of Compromise
- Kernel oops or panic logs referencing z_erofs_decompressqueue_work or z_erofs_decompress_kickoff in the call stack.
- KASAN reports flagging use-after-free reads on EROFS superblock info structures.
- Unexpected EROFS filesystem dismount errors correlated with worker thread faults.
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in test or canary environments to surface use-after-free conditions during EROFS workloads.
- Monitor dmesg and journal logs for BUG: KASAN: use-after-free entries tied to EROFS symbols.
- Track kernel version inventory across hosts to flag systems running EROFS-enabled kernels predating the fix commits.
Monitoring Recommendations
- Alert on repeated kernel crashes or reboots on hosts that mount EROFS images, particularly container hosts and Android-derived systems.
- Audit container runtimes and image formats to identify workloads relying on EROFS.
- Correlate unmount events with subsequent worker-thread faults in centralized logging to detect race exploitation attempts.
How to Mitigate CVE-2026-53272
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 00bf6868df65, 1aee05e814d2, 86ab00cf81d4, and 95caf60da33d.
- Update to the distribution kernel that incorporates these stable-tree fixes.
- Restrict the ability of unprivileged users to mount EROFS images, including via user namespaces.
Patch Information
The fix is delivered through the Linux stable tree. Review the commits at kernel.org 86ab00cf81d4 and kernel.org 95caf60da33d. The patch ensures the EROFS superblock info remains valid until all queued decompression work completes, eliminating the race with the unmount path.
Workarounds
- Disable EROFS support in the kernel build where the filesystem is not required.
- Avoid mounting untrusted EROFS images on multi-tenant or production hosts until patched kernels are deployed.
- Limit privileged container capabilities that allow filesystem mount and unmount operations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

