CVE-2026-31465

#include <unistd.h> #include <stdio.h> /* * PoC for CVE-2026-31465: Linux Kernel Writeback Hang * Description: This PoC triggers the sync mechanism on a vulnerable FUSE setup. * Conditions: A FUSE filesystem must be mounted and the daemon must be frozen/unresponsive. */ int main() { printf("[+] Triggering sync to potentially hang the system...\n"); // sync() initiates writeback. On vulnerable kernels with FUSE, // this may block indefinitely if the flusher threads are stuck. sync(); printf("[-] Sync returned. System might not be vulnerable or conditions not met.\n"); return 0; }

{"cve": {"id": "CVE-2026-31465", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:42.633", "lastModified": "2026-05-07T18:27:30.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don't block sync for filesystems with no data integrity guarantees\n\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\nguarantee data persistence on sync (eg fuse). For superblocks with this\nflag set, sync kicks off writeback of dirty inodes but does not wait\nfor the flusher threads to complete the writeback.\n\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\ncommit f9a49aa302a0 (\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\nin wait_sb_inodes()\"). The flag belongs at the superblock level because\ndata integrity is a filesystem-wide property, not a per-inode one.\nHaving this flag at the superblock level also allows us to skip having\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\nindividually.\n\nPrior to this commit, mappings with no data integrity guarantees skipped\nwaiting on writeback completion but still waited on the flusher threads\nto finish initiating the writeback. Waiting on the flusher threads is\nunnecessary. This commit kicks off writeback but does not wait on the\nflusher threads. This change properly addresses a recent report [1] for\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\non the flusher threads to finish:\n\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\nCall Trace:\n <TASK>\n __schedule+0x457/0x1720\n schedule+0x27/0xd0\n wb_wait_for_completion+0x97/0xe0\n sync_inodes_sb+0xf8/0x2e0\n __iterate_supers+0xdc/0x160\n ksys_sync+0x43/0xb0\n pm_fs_sync_work_fn+0x17/0xa0\n process_one_work+0x193/0x350\n worker_thread+0x1a1/0x310\n kthread+0xfc/0x240\n ret_from_fork+0x243/0x280\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nOn fuse this is problematic because there are paths that may cause the\nflusher thread to block (eg if systemd freezes the user session cgroups\nfirst, which freezes the fuse daemon, before invoking the kernel\nsuspend. The kernel suspend triggers ->write_node() which on fuse issues\na synchronous setattr request, which cannot be processed since the\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\nwriteback, initiating writeback on a dirty folio already under writeback\nleads to writeback_get_folio() -> folio_prepare_writeback() ->\nunconditional wait on writeback to finish, which will cause a hang).\nThis commit restores fuse to its prior behavior before tmp folios were\nremoved, where sync was essentially a no-op.\n\n[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.21", "matchCriteriaId": "A6CA36DA-3783-4321-81A6-485364836084"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5c24a13d8a0466ca0446e58309e51f2606520164", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/76f9377cd2ab7a9220c25d33940d9ca ... (truncated)