In the Linux kernel, the following vulnerability has been resolved:
mm: blk-cgroup: fix use-after-free in cgwbreleaseworkfn()
cgwbreleaseworkfn() calls cssput(wb->blkcgcss) and then later accesses wb->blkcgcss again via blkcgunpinonline(). If cssput() drops the last reference, the blkcg can be freed asynchronously (cssfreerworkfn -> blkcgcssfree -> kfree) before blkcgunpinonline() dereferences the pointer to access blkcg->onlinepin, resulting in a use-after-free:
BUG: KASAN: slab-use-after-free in blkcgunpinonline (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwbrelease cgwbreleaseworkfn Call Trace: <TASK> blkcgunpinonline (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwbreleaseworkfn (mm/backing-dev.c:629) processscheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)
Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) cssfreerworkfn (kernel/cgroup/cgroup.c:5542) processscheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)
** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410")
I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/reproblkcguaf.sh
(The race window is narrow. To make it easily reproducible, inject a msleep(100) between cssput() and blkcgunpinonline() in cgwbrelease_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.)
Fix this by moving blkcgunpinonline() before cssput(), so the cgwb's CSS reference keeps the blkcg alive while blkcgunpin_online() accesses it.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31586.json"
}