CVE-2026-31454
- Source
- https://cve.org/CVERecord?id=CVE-2026-31454
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31454.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31454
- Downstream
- Published
- 2026-04-22T13:53:48.242Z
- Modified
- 2026-05-18T05:59:49.069459925Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- xfs: save ailp before dropping the AIL lock in push callbacks
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xfs: save ailp before dropping the AIL lock in push callbacks
In xfsinodeitempush() and xfsqmdquotlogitempush(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spinlock() call dereferences lip->li_ailp, which is a use-after-free.
Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31454.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/19437e4f7bb909afde832b39372aa2f3ce3cfd88
- https://git.kernel.org/stable/c/394d70b86fae9fe865e7e6d9540b7696f73aa9b6
- https://git.kernel.org/stable/c/4c7d50147316cf049462f327c4a3e9dc2b7f1dd0
- https://git.kernel.org/stable/c/50f5f056807b7bed74f4f307f2ca0ed92f3e556d
- https://git.kernel.org/stable/c/6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5
- https://git.kernel.org/stable/c/75669e987137f49c99ca44406bf0200d1892dd16
- https://git.kernel.org/stable/c/d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d
- https://git.kernel.org/stable/c/edd1637d4e3911ab6c760f553f2040fe72f61a13
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31454.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31454
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced90c60e16401248a4900f3f9387f563d0178dcf34Fixededd1637d4e3911ab6c760f553f2040fe72f61a13Fixed19437e4f7bb909afde832b39372aa2f3ce3cfd88Fixed6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5Fixed75669e987137f49c99ca44406bf0200d1892dd16Fixedd8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87dFixed50f5f056807b7bed74f4f307f2ca0ed92f3e556dFixed4c7d50147316cf049462f327c4a3e9dc2b7f1dd0Fixed394d70b86fae9fe865e7e6d9540b7696f73aa9b6
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.9.0Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.168
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.131
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.80
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.21
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.11