CVE-2026-31580
Published: 24 April 2026
Summary
CVE-2026-31580 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the kernel to apply fixes for the bcache use-after-free vulnerability, preventing the race condition during device stop and superblock write.
Vulnerability scanning identifies outdated kernel versions vulnerable to CVE-2026-31580, enabling remediation before exploitation.
Implements memory protections such as kernel hardening features that mitigate exploitation of the use-after-free in bcache by preventing unauthorized memory access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-privileged use-after-free in kernel bcache enables memory corruption with C/I/A high impacts; directly maps to exploitation for privilege escalation (T1068) and system/application exploitation for DoS via crashes (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561]…
more
blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.
Deeper analysisAI
CVE-2026-31580 is a use-after-free vulnerability in the Linux kernel's bcache subsystem, specifically affecting the cached_dev.sb_bio field. This issue arises when a bcache device is stopped during a superblock write operation, leading to the cached_dev structure being freed while an associated sb_bio remains pending. Upon completion of the bio (endio), the freed sb_bio address is accessed, resulting in crashes. The vulnerability has been observed in production environments, particularly in conjunction with libceph, as evidenced by kernel crash traces involving blk_update_request, rbd_img_handle_request, and ceph_con_workfn.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability by triggering the race condition between stopping the bcache device and completing a superblock write. Successful exploitation leads to high-impact consequences, including unauthorized access to sensitive data (C:H), modification of data or code (I:H), and system crashes or denial of service (A:H), as scored by CVSS 3.1 at 7.8. The core weakness is classified as CWE-416 (Use After Free).
Kernel patches addressing this issue are available in stable branches via the referenced commits, which modify cached_dev_free to wait for any in-progress sb_write to complete before freeing the structure, thereby preventing the use-after-free. Security practitioners should update to kernels incorporating these fixes, such as those from git.kernel.org stable repositories.
In production deployments, multiple crash reports linked to libceph have been reported, highlighting real-world impact on systems using bcache with Ceph RBD. The patch development involved analysis shared with QWEN, which contributed modifications to the fix.
Details
- CWE(s)