In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in updatesuperwork when racing with umount
Commit b98535d09179 ("ext4: fix bugon in startthishandle during umount filesystem") moved ext4unregistersysfs() before flushing ssbupdwork to prevent new error work from being queued via /proc/fs/ext4/xx/mbgroups reads during unmount. However, this introduced a use-after-free because updatesuperwork calls ext4notifyerrorsysfs() -> sysfsnotify() which accesses the kobject's kernfsnode after it has been freed by kobjectdel() in ext4unregister_sysfs():
updatesuperwork ext4putsuper ----------------- -------------- ext4unregistersysfs(sb) kobjectdel(&sbi->skobj) __kobjectdel() sysfsremovedir() kobj->sd = NULL sysfsput(sd) kernfsput() // RCU free ext4notifyerrorsysfs(sbi) sysfsnotify(&sbi->skobj) kn = kobj->sd // stale pointer kernfsget(kn) // UAF on freed kernfsnode ext4journaldestroy() flushwork(&sbi->ssbupdwork)
Instead of reordering the teardown sequence, fix this by making ext4notifyerrorsysfs() detect that sysfs has already been torn down by checking skobj.stateinsysfs, and skipping the sysfsnotify() call in that case. A dedicated mutex (serrornotifymutex) serializes ext4notifyerrorsysfs() against kobjectdel() in ext4unregistersysfs() to prevent TOCTOU races where the kobject could be deleted between the stateinsysfs check and the sysfs_notify() call.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31446.json",
"cna_assigner": "Linux"
}