{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bcache: fix cached_dev.sb_bio use-after-free and crash",
    "id" : "2461464",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461464"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbcache: fix cached_dev.sb_bio use-after-free and crash\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n```\n[6888366.280350] Call Trace:\n[6888366.280452]  blk_update_request+0x14e/0x370\n[6888366.280561]  blk_mq_end_request+0x1a/0x130\n[6888366.280671]  rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792]  rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903]  __complete_request+0x22/0x70 [libceph]\n[6888366.281032]  osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164]  ? inet_recvmsg+0x5b/0xd0\n[6888366.281272]  ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405]  ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534]  ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661]  ceph_con_workfn+0x329/0x680 [libceph]\n```\nAfter analyzing the coredump file, we found that the address of\ndc->sb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime.  If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made.", "A flaw was found in the Linux kernel's bcache component. This use-after-free vulnerability occurs when a cached device is stopped while an I/O operation, specifically writing to the superblock, is still in progress. This timing issue can lead to the system attempting to access memory that has already been freed, resulting in a system crash and a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31580\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31580\nhttps://lore.kernel.org/linux-cve-announce/2026042411-CVE-2026-31580-7d94@gregkh/T" ],
  "name" : "CVE-2026-31580",
  "csaw" : false
}