writeback: Fix use after free in inode_switch_wbs_work_fn()
Summary
| CVE | CVE-2026-31703 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-01 14:16:20 UTC |
| Updated | 2026-05-03 07:16:17 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000170000 probability, percentile 0.040880000 (date 2026-05-02)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b 028103656b84273c73e9e271cf95c9f3421f4b8a git | Not specified |
| CNA | Linux | Linux | affected e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b 9223e5f30403a9b506d6d0bff4f2e29a2d7d46af git | Not specified |
| CNA | Linux | Linux | affected e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b 6689f01d6740cf358932b3e97ee968c6099800d9 git | Not specified |
| CNA | Linux | Linux | affected 6.18 | Not specified |
| CNA | Linux | Linux | unaffected 6.18 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.25 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.2 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.