CVE-2026-23224
Published: 18 February 2026
Summary
CVE-2026-23224 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23224 is a use-after-free (UAF) vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. It affects file-backed mounts when the directio mount option is enabled, triggering a race condition during read operations. The issue arises in the erofs_fileio path, where a bio submission returns -EIOCBQUEUED, leading to premature freeing of the erofs_fileio_rq structure in erofs_fileio_ki_complete(). Subsequent access in file_accessed() dereferences a NULL filp pointer, resulting in a kernel panic, as evidenced by the provided call trace involving z_erofs_read_folio, filemap_fault, and page fault handlers.
A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of user interaction requirement (UI:N). Exploitation occurs in a race between z_erofs_runqueue and the workqueue s_dio_done_wq, potentially allowing the attacker to trigger the UAF during EROFS file reads on affected mounts. Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, enabling kernel crashes or more severe outcomes like arbitrary code execution or data corruption via the freed memory.
Mitigation is provided through upstream kernel patches, including commits such as 1caf50ce4af096d0280d59a31abdd85703cd995c, ae385826840a3c8e09bf38cac90adcd690716f57, b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa, and d741534302f71c511eb0bb670b92eaa7df4a0aec. These introduce a reference count in struct erofs_fileio_rq, initialized to 2, which is decremented by both erofs_fileio_ki_complete() and erofs_fileio_rq_submit(); the structure is freed only when the count reaches zero, preventing the UAF race. Security practitioners should apply these stable kernel updates to vulnerable systems using EROFS with file-backed directio mounts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7677
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222]…
more
erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+0x60/0x120 [ 9.270102][ T3222] filemap_fault+0xcac/0x1060 [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c [ 9.270142][ T3222] do_page_fault+0x178/0x88c [ 9.270167][ T3222] do_translation_fault+0x38/0x54 [ 9.270183][ T3222] do_mem_abort+0x54/0xac [ 9.270208][ T3222] el0_da+0x44/0x7c [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - z_erofs_read_folio wq s_dio_done_wq - z_erofs_runqueue - erofs_fileio_submit_bio - erofs_fileio_rq_submit - vfs_iocb_iter_read - ext4_file_read_iter - ext4_dio_read_iter - iomap_dio_rw : bio was submitted and return -EIOCBQUEUED - dio_aio_complete_work - dio_complete - dio->iocb->ki_complete (erofs_fileio_ki_complete()) - kfree(rq) : it frees iocb, iocb.ki_filp can be UAF in file_accessed(). - file_accessed : access NULL file point Introduce a reference count in struct erofs_fileio_rq, and initialize it as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will decrease reference count, the last one decreasing the reference count to zero will free rq.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in EROFS enables exploitation for privilege escalation to achieve arbitrary code execution or kernel compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly and comprehensively mitigates the EROFS UAF vulnerability by requiring timely patching of the kernel race condition in erofs_fileio_rq reference counting.
Addresses the CVE by enabling vulnerability scanning to identify and prioritize systems running vulnerable Linux kernel versions with EROFS directio support.
Mitigates exploitation by enforcing secure kernel and mount configurations, such as disabling the directio option for file-backed EROFS mounts.