CVE-2026-31454
Published: 22 April 2026
Summary
CVE-2026-31454 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing this use-after-free vulnerability by requiring application of the upstream Linux kernel patches that save the AIL pointer before dropping the lock.
SI-16 enforces memory protections that mitigate exploitation of the use-after-free in xfs_inode_item_push() and xfs_qm_dquot_logitem_push() by restricting unauthorized memory access, modification, or execution.
RA-5 requires vulnerability scanning to identify systems running vulnerable Linux kernel versions affected by this XFS use-after-free CVE, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel XFS enables arbitrary code execution from low-privileged context, directly mapping to exploitation for privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer…
more
protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid.
Deeper analysisAI
CVE-2026-31454 is a use-after-free vulnerability in the Linux kernel's XFS filesystem implementation, affecting the xfs_inode_item_push() and xfs_qm_dquot_logitem_push() functions. The issue arises when the AIL lock is dropped to perform buffer I/O on a cluster buffer. During this window, the log item is no longer protected from reclaim, allowing background reclaim or the dquot shrinker to free it. A subsequent spin_lock() call then dereferences the freed lip->li_ailp pointer, leading to the use-after-free condition. The vulnerability was published on 2026-04-22 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. Exploitation involves triggering the push callbacks in XFS during scenarios like buffer I/O operations, potentially leading to arbitrary code execution, data corruption, or system crashes given the high impacts on confidentiality, integrity, and availability.
Mitigation requires applying the upstream Linux kernel patches from the stable repository, as detailed in the referenced commits such as 19437e4f7bb909afde832b39372aa2f3ce3cfd88, 394d70b86fae9fe865e7e6d9540b7696f73aa9b6, 4c7d50147316cf049462f327c4a3e9dc2b7f1dd0, 50f5f056807b7bed74f4f307f2ca0ed92f3e556d, and 6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5. These patches resolve the issue by saving the ailp pointer in a local variable while the AIL lock is held, ensuring the log item remains valid before dropping the lock.
Details
- CWE(s)