Cyber Resilience

CVE-2026-31703

High

Published: 01 May 2026

Published
01 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31703 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31703 is a use-after-free vulnerability in the Linux kernel's writeback subsystem, specifically within the inode_switch_wbs_work_fn() function. The issue arises from a race condition where the function processes items from a lockless list (llist) in a loop, while new items can be added concurrently via wb_queue_isw(). This can result in the work item being queued even after the list is emptied, allowing the associated writeback structure (wb) to be freed prematurely while the work remains pending, leading to use-after-free access.

A local attacker with low privileges can exploit this vulnerability due to its CVSS vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, requiring no user interaction. Exploitation involves triggering the race condition during inode switching between writeback contexts, potentially enabling arbitrary code execution, data corruption, or denial of service through the freed memory access.

Patches addressing this vulnerability are available in the Linux kernel stable repository, as documented in the referenced commits: 028103656b84273c73e9e271cf95c9f3421f4b8a, 6689f01d6740cf358932b3e97ee968c6099800d9, and 9223e5f30403a9b506d6d0bff4f2e29a2d7d46af. The fix removes the processing loop from inode_switch_wbs_work_fn() to ensure that queued work always corresponds to at least one item in the list, preventing premature wb freeing and eliminating the use-after-free without introducing complex refcount handling.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the…

more

items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition enables arbitrary code execution from low-privileged context, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 6.18 — 6.18.25 · 6.19 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring identification, testing, and timely deployment of the specific Linux kernel patches available for CVE-2026-31703.

prevent

Implements memory protection safeguards such as kernel ASLR and non-executable memory regions that complicate exploitation of the use-after-free even in unpatched systems.

detect

Enables detection of vulnerable kernel versions through vulnerability scanning, facilitating prompt remediation of the race condition leading to use-after-free.

References