CVE-2026-53272

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix use-after-free on sbi->sync_decompress

zerofsdecompresskickoff() can race with filesystem unmount, causing a use-after-free on sbi->syncdecompress.

When I/O completes, zerofsendio() calls zerofsdecompresskickoff() to queue zerofsdecompressqueuework() asynchronously. Then, after all folios are unlocked, unmount workflow can proceed and sbi will be freed before accessing to sbi->sync_decompress.

Thread (unmount) I/O completion kworker queuework zerofsdecompressqueuework (all folios are unlocked) cleanupmnt .. erofskillsb erofssbfree kfree(sbi) access sbi->syncdecompress // UAF!!