CVE-2026-31453
Published: 22 April 2026
Summary
CVE-2026-31453 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of the specified kernel patches directly remediates the use-after-free vulnerability in XFS AIL handling by preventing dereference of freed log items.
Kernel memory protections such as KASLR, SMEP, and other safeguards reduce the exploitability of the use-after-free condition in xfsaild_push_item().
Vulnerability scanning detects the presence of CVE-2026-31453 in Linux kernels, enabling prioritization of flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel XFS AIL handling directly enables arbitrary code execution with elevated privileges via exploitation for privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode…
more
reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.
Deeper analysisAI
CVE-2026-31453 is a vulnerability in the Linux kernel's XFS filesystem, specifically in the xfsaild_push_item() function. The issue arises when iop_push() callbacks are invoked, as the associated log item may be freed if the AIL lock is dropped during the push operation. This can occur due to background inode reclaim or the dquot shrinker freeing the log item while the AIL lock is not held, leading to subsequent dereferences of the freed log item in tracepoints within a switch statement. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes through the use-after-free condition in XFS AIL handling.
Mitigation is provided through kernel patches available in stable trees, as detailed in the referenced commits: 451c6329d9afa45862c36fe6677eb7750db60617, 7121b22b0bac89394cc4c6a54b5aebc15347bdf5, 79ef34ec0554ec04bdbafafbc9836423734e1bd6, 95fb5d643cc70959baa54cd17f52f80ffc3295e7, and c4d603e8e58a3bf35480135ccca2b4f7238abda5. These patches fix the issue by capturing the log item type, flags, and LSN before calling xfsaild_push_item() and introducing a new xfs_ail_push_class trace event that uses these pre-captured values along with the AIL pointer, avoiding dereferences of potentially freed log items. Security practitioners should ensure systems apply these upstream fixes in their kernel updates.
Details
- CWE(s)