CVE-2026-31586

Source
https://cve.org/CVERecord?id=CVE-2026-31586
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31586.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31586
Downstream
Related
Published
2026-04-24T14:42:14.937Z
Modified
2026-06-18T03:56:31.892630357Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: blk-cgroup: fix use-after-free in cgwbreleaseworkfn()

cgwbreleaseworkfn() calls cssput(wb->blkcgcss) and then later accesses wb->blkcgcss again via blkcgunpinonline(). If cssput() drops the last reference, the blkcg can be freed asynchronously (cssfreerworkfn -> blkcgcssfree -> kfree) before blkcgunpinonline() dereferences the pointer to access blkcg->onlinepin, resulting in a use-after-free:

BUG: KASAN: slab-use-after-free in blkcgunpinonline (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwbrelease cgwbreleaseworkfn Call Trace: <TASK> blkcgunpinonline (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwbreleaseworkfn (mm/backing-dev.c:629) processscheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)

Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) cssfreerworkfn (kernel/cgroup/cgroup.c:5542) processscheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)

** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410")

I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/reproblkcguaf.sh

(The race window is narrow. To make it easily reproducible, inject a msleep(100) between cssput() and blkcgunpinonline() in cgwbrelease_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.)

Fix this by moving blkcgunpinonline() before cssput(), so the cgwb's CSS reference keeps the blkcg alive while blkcgunpin_online() accesses it.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31586.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
59b57717fff8b562825d9d25e0180ad7e8048ca9
Fixed
23acef4156c260e8598397a1a2e8b3a23e919893
Fixed
1bd36e93b542d9dd020190c6607c6a3663405195
Fixed
740ba1ebb223f137ff088ab74d533a13f9167bd8
Fixed
115a5266749dcde7fe4127e8623d19c752088f69
Fixed
dfc8292a1d6782c76b626315605e0585a5a18447
Fixed
ea3af09eb87d8f8708c66747fcf1a2762902e839
Fixed
50879a3c1faf06e661090015d59e2127255cff27
Fixed
67cb119d32f35e32acd0393bbeb318b2bb1fdafe
Fixed
8f5857be99f1ed1fa80991c72449541f634626ee

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31586.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.19.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31586.json"