CVE-2026-22995
Published: 23 January 2026
Summary
CVE-2026-22995 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the use-after-free vulnerability in the Linux kernel's ublk driver through patching the race condition in partition scan work.
Restricts or prohibits non-essential kernel capabilities like the ublk driver to eliminate the vulnerable component from running.
Enforces memory protection mechanisms that mitigate exploitation of the use-after-free by preventing unauthorized access to freed kernel memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-privileged use-after-free in kernel driver enables direct exploitation for privilege escalation to arbitrary code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work…
more
after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.
Deeper analysisAI
CVE-2026-22995 is a use-after-free vulnerability in the Linux kernel's ublk (user block driver) component, specifically within the ublk_partition_scan_work function. The issue arises from a race condition between the asynchronous partition scan work, scheduled after add_disk() in ublk_ctrl_start_dev(), and device teardown in ublk_stop_dev(). During teardown, del_gendisk() is called, followed by ublk_detach_disk() which sets ub->ub_disk to NULL and put_disk() which may free the disk. If the worker then executes, it dereferences the now-freed ub->ub_disk, leading to the use-after-free (CWE-416).
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system crashes by manipulating the timing of device operations to trigger the race.
The provided patch references detail the mitigation, which involves adding reference counting in the worker via ublk_get_disk() and ublk_put_disk() to hold a valid reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk(), ensuring the worker either acquires a reference or sees NULL and exits early. Additionally, flush_work() is replaced with cancel_work_sync() to prevent unnecessary execution of the partition scan after detachment. These changes are available in the linked kernel stable commits.
Details
- CWE(s)