{ "threat_severity" : "Important", "public_date" : "2026-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", "id" : "2461465", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461465" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-366", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\nBUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\nWrite of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\nWorkqueue: cgwb_release cgwb_release_workfn\nCall Trace:\n\nblkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\ncgwb_release_workfn (mm/backing-dev.c:629)\nprocess_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\nFreed by task 1016:\nkfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\ncss_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\nprocess_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it.", "A flaw was found in the Linux kernel's block control group (blk-cgroup) component. A timing issue in the cgwb_release_workfn() function can lead to a use-after-free vulnerability. This occurs when a block control group object is prematurely released while still being referenced. A local attacker could exploit this to cause system instability or a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31586\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31586\nhttps://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31586-3a32@gregkh/T" ], "name" : "CVE-2026-31586", "csaw" : false }