CVE-2026-31703

Description

In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* - VULNERABLE

Linux Kernel (具体受影响版本请参考官方Git补丁)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-31703
 * This code simulates the race condition in the kernel.
 * Actual exploitation requires a specific environment and kernel version.
 */

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/fs.h>

// Conceptual trigger function
void trigger_vulnerability(void) {
    // In a real scenario, this involves heavy file I/O operations
    // that trigger wb (writeback) switching frequently.
    // The goal is to hit the window where switch_wbs_ctxs is empty
    // but switch_work is pending.
    
    // Simulating wb_queue_isw adding items
    // while inode_switch_wbs_work_fn is looping.
    
    printk(KERN_INFO "Attempting to trigger CVE-2026-31703 race condition...\n");
    
    // Loop to increase probability of hitting the race
    for (int i = 0; i < 10000; i++) {
        // Perform operations that dirty pages and trigger writeback
        // (e.g., write to a file, sync)
    }
}

int init_module(void) {
    printk(KERN_INFO "CVE-2026-31703 PoC Module Loaded\n");
    trigger_vulnerability();
    return 0;
}

void cleanup_module(void) {
    printk(KERN_INFO "CVE-2026-31703 PoC Module Unloaded\n");
}

MODULE_LICENSE("GPL");

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31703
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31703
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31703/
[4] VulDB https://vuldb.com/cve/CVE-2026-31703
[5] https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a
[6] https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9
[7] https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31703", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T14:16:20.263", "lastModified": "2026-05-06T18:42:19.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n wb_get(new_wb);\n while (1) {\n list = llist_del_all(&new_wb->switch_wbs_ctxs);\n /* Nothing to do? */\n if (!list)\n break;\n ... process the items ...\n }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n if (llist_add(&isw->list, &wb->switch_wbs_ctxs))\n queue_work(isw_wq, &wb->switch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb->switch_work is pending while wb->switch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -> no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -> 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let's avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb->switch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.25", "matchCriteriaId": "5C53A705-D2E9-401E-9B1B-DBC8C4FE5181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0.2", "matchCriteriaId": "1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "B1EF7059-E670-45F4-B422-54C40FA86390"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}