CVE-2026-53129

mbcachedestroy() calls shrinkerfree() and then frees all cache entries and the cache itself, but it does not cancel the pending cshrink_work work item first.

If mbcacheentrycreate() schedules cshrinkwork via schedulework() and the work item is still pending or running when mbcachedestroy() runs, mbcacheshrink_worker() will access the cache after its memory has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAPSYSADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancelworksync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53129.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c2f3140fe2eceb3a6c1615b2648b9471544881c6

Fixed

a88d39a74a208e197c03bffaa2df34de732af19f

Fixed

0e4eff315d799f5842b95872199b0f0fb8ef5f51

Fixed

b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c

Fixed

d227786ab1119669df4dc333a61510c52047cce4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53129.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

6.12.91

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.33

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53129.json"