CVE-2026-23224
- Source
- https://cve.org/CVERecord?id=CVE-2026-23224
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23224.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23224
- Downstream
- Published
- 2026-02-18T14:53:27.462Z
- Modified
- 2026-02-23T21:17:11.080009Z
- Summary
- erofs: fix UAF issue for file-backed mounts w/ directio option
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix UAF issue for file-backed mounts w/ directio option
[ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4filereaditer+0xac/0x108 [ 9.269979][ T3222] vfsiocbiterread+0xac/0x198 [ 9.269993][ T3222] erofsfileiorqsubmit+0x12c/0x180 [ 9.270008][ T3222] erofsfileiosubmitbio+0x14/0x24 [ 9.270030][ T3222] zerofsrunqueue+0x834/0x8ac [ 9.270054][ T3222] zerofsreadfolio+0x120/0x220 [ 9.270083][ T3222] filemapreadfolio+0x60/0x120 [ 9.270102][ T3222] filemapfault+0xcac/0x1060 [ 9.270119][ T3222] doptemissing+0x2d8/0x1554 [ 9.270131][ T3222] handlemmfault+0x5ec/0x70c [ 9.270142][ T3222] dopagefault+0x178/0x88c [ 9.270167][ T3222] dotranslationfault+0x38/0x54 [ 9.270183][ T3222] domemabort+0x54/0xac [ 9.270208][ T3222] el0da+0x44/0x7c [ 9.270227][ T3222] el0t64synchandler+0x5c/0xf4 [ 9.270253][ T3222] el0t64sync+0x1bc/0x1c0
EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition:
- zerofsreadfolio wq sdiodonewq
- zerofsrunqueue
- erofsfileiosubmitbio
- erofsfileiorq
- vfsiocbiterread
- ext4fileread
- ext4dioreaditer
- iomapdiorw
: bio was submitted and return -EIOCBQUEUED
- dioaiocompletework
- dio
- dio->iocb->kicomplete (erofsfileiokicomplete())
- kfree(rq) : it frees iocb, iocb.kifilp can be UAF in fileaccessed().
- dioaiocompletework
- iomapdiorw
: bio was submitted and return -EIOCBQUEUED
- fileaccessed : access NULL file point
- erofsfileiosubmitbio
- zerofsrunqueue
Introduce a reference count in struct erofsfileiorq, and initialize it as two, both erofsfileiokicomplete() and erofsfileiorqsubmit() will decrease reference count, the last one decreasing the reference count to zero will free rq.
- zerofsreadfolio wq sdiodonewq
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23224.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c
- https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57
- https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa
- https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23224.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23224
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfb176750266a3d7f42ebdcf28e8ba40350b27847Fixedae385826840a3c8e09bf38cac90adcd690716f57Fixedd741534302f71c511eb0bb670b92eaa7df4a0aecFixedb2ee5e4d5446babd23ff7beb4e636be0fb3ea5aaFixed1caf50ce4af096d0280d59a31abdd85703cd995c