Home

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-05-23 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 (git) before c8fe17a1b308c3d8c703ebfb049b325f844342c3
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before c4d829737329f2290dd41e290b7d75effdb2a7ff
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before 9449f99ba04f5dd1c8423ad8a90b3651d7240d1d
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before 034053378dd81837fd6c7a43b37ee2e58d4f0b4e
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before 08b10e6f37fc533a759e9833af0692242e8b3f93
affected

b98535d091795a79336f520b0708457aacf55c67 (git) before d15e4b0a418537aafa56b2cb80d44add83e83697
affected

585ef03c9e79672781f954daae730dfe24bf3a46 (git)
affected

afe490e48d47df1b3f64012835c1bc2f075a8c8b (git)
affected

5.15.38 (semver) before 5.15.203
affected

5.10.114 (semver) before 5.11
affected

5.17.6 (semver) before 5.18
affected

Default status
affected

5.18
affected

Any version before 5.18
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.131 (semver)
unaffected

6.12.80 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c8fe17a1b308c3d8c703ebfb049b325f844342c3

git.kernel.org/...c/c4d829737329f2290dd41e290b7d75effdb2a7ff

git.kernel.org/...c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d

git.kernel.org/...c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e

git.kernel.org/...c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe

git.kernel.org/...c/08b10e6f37fc533a759e9833af0692242e8b3f93

git.kernel.org/...c/d15e4b0a418537aafa56b2cb80d44add83e83697

cve.org (CVE-2026-31446)

nvd.nist.gov (CVE-2026-31446)

Download JSON