CVE-2026-31446
Published: 22 April 2026
Summary
CVE-2026-31446 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and patching of the ext4 use-after-free vulnerability to prevent exploitation during umount races.
Requires vulnerability scanning to identify the kernel ext4 use-after-free flaw in affected versions.
Ensures receipt and dissemination of security advisories reporting the CVE-2026-31446 kernel vulnerability for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in kernel ext4 (update_super_work vs. umount race) directly enables local arbitrary code execution with no privileges, mapping to Exploitation for Privilege Escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from…
more
being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.
Deeper analysisAI
CVE-2026-31446 is a use-after-free vulnerability in the Linux kernel's ext4 filesystem, specifically in the update_super_work function during races with umount operations. The issue stems from a prior commit that reordered ext4_unregister_sysfs before flushing s_sb_upd_work, leading to update_super_work calling ext4_notify_error_sysfs, which accesses a freed kernfs_node via sysfs_notify after kobject_del in ext4_unregister_sysfs. This affects Linux kernel versions prior to the application of the fixing commits.
A local attacker with no privileges required can exploit this vulnerability under low complexity conditions but needs user interaction, such as triggering specific filesystem operations. Exploitation involves racing update_super_work against ext4_put_super during umount, potentially via /proc/fs/ext4/xx/mb_groups reads to queue error work. Successful exploitation yields high impacts on confidentiality, integrity, and availability (CVSS 7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), enabling arbitrary code execution, data corruption, or denial of service through the use-after-free on the kernfs_node.
Mitigation involves applying the upstream patches from the referenced kernel stable commits, including the primary fix in commit 034053378dd81837fd6c7a43b37ee2e58d4f0b4e and backports such as 08b10e6f37fc533a759e9833af0692242e8b3f93, 9449f99ba04f5dd1c8423ad8a90b3651d7240d1d, c4d829737329f2290dd41e290b7d75effdb2a7ff, and c8fe17a1b308c3d8c703ebfb049b325f844342c3. The fix adds a check in ext4_notify_error_sysfs for s_kobj.state_in_sysfs to skip sysfs_notify if sysfs is torn down, protected by a new s_error_notify_mutex to prevent time-of-check-to-time-of-use races against kobject_del.
Details
- CWE(s)