CVE-2026-31703

HIGH EPSS 2.1%
Published May 1, 20261mo ago · Modified Jun 19, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥6.18  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/156cc63691c1f20905510b1007896e090355e6c2
  • git.kernel.org https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af
    Patch