CVE-2026-22995

HIGH EPSS 1.8%
Published Jan 23, 20265mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Jan 23, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 2

VendorProductVersionRange
linuxlinux_kernel*≥6.18.4  –  <6.18.6
linuxlinux_kernel6.19any

References 2

  • git.kernel.org https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb
    Patch