CVE-2026-31703
Published: 01 May 2026
Summary
CVE-2026-31703 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31703 is a use-after-free vulnerability in the Linux kernel's writeback subsystem, specifically within the inode_switch_wbs_work_fn() function. The issue arises from a race condition where the function processes items from a lockless list (llist) in a loop, while new items can be added concurrently via wb_queue_isw(). This can result in the work item being queued even after the list is emptied, allowing the associated writeback structure (wb) to be freed prematurely while the work remains pending, leading to use-after-free access.
A local attacker with low privileges can exploit this vulnerability due to its CVSS vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, requiring no user interaction. Exploitation involves triggering the race condition during inode switching between writeback contexts, potentially enabling arbitrary code execution, data corruption, or denial of service through the freed memory access.
Patches addressing this vulnerability are available in the Linux kernel stable repository, as documented in the referenced commits: 028103656b84273c73e9e271cf95c9f3421f4b8a, 6689f01d6740cf358932b3e97ee968c6099800d9, and 9223e5f30403a9b506d6d0bff4f2e29a2d7d46af. The fix removes the processing loop from inode_switch_wbs_work_fn() to ensure that queued work always corresponds to at least one item in the list, preventing premature wb freeing and eliminating the use-after-free without introducing complex refcount handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26512
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the…
more
items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition enables arbitrary code execution from low-privileged context, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free vulnerability by requiring identification, testing, and timely deployment of the specific Linux kernel patches available for CVE-2026-31703.
Implements memory protection safeguards such as kernel ASLR and non-executable memory regions that complicate exploitation of the use-after-free even in unpatched systems.
Enables detection of vulnerable kernel versions through vulnerability scanning, facilitating prompt remediation of the race condition leading to use-after-free.