{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31586", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.120Z", "datePublished": "2026-04-24T14:42:14.937Z", "dateUpdated": "2026-05-11T22:11:39.362Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:39.362Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\n\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n <TASK>\n blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n cgwb_release_workfn (mm/backing-dev.c:629)\n process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n Freed by task 1016:\n kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/backing-dev.c"], "versions": [{"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "115a5266749dcde7fe4127e8623d19c752088f69", "status": "affected", "versionType": "git"}, {"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "dfc8292a1d6782c76b626315605e0585a5a18447", "status": "affected", "versionType": "git"}, {"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "ea3af09eb87d8f8708c66747fcf1a2762902e839", "status": "affected", "versionType": "git"}, {"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "50879a3c1faf06e661090015d59e2127255cff27", "status": "affected", "versionType": "git"}, {"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "67cb119d32f35e32acd0393bbeb318b2bb1fdafe", "status": "affected", "versionType": "git"}, {"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9", "lessThan": "8f5857be99f1ed1fa80991c72449541f634626ee", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/backing-dev.c"], "versions": [{"version": "4.19", "status": "affected"}, {"version": "0", "lessThan": "4.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"}, {"url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"}, {"url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"}, {"url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"}, {"url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"}, {"url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"}], "title": "mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C65C5FE4-6002-4BBA-98A9-87D1F99A643F", "versionEndExcluding": "6.6.136", "versionStartIncluding": "4.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\n\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n <TASK>\n blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n cgwb_release_workfn (mm/backing-dev.c:629)\n process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n Freed by task 1016:\n kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."}], "id": "CVE-2026-31586", "lastModified": "2026-04-28T20:45:58.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:33.393", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()", "id": "2461465", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461465"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-366", "details": ["A flaw was found in the Linux kernel's block control group (blk-cgroup) component. A timing issue in the cgwb_release_workfn() function can lead to a use-after-free vulnerability. This occurs when a block control group object is prematurely released while still being referenced. A local attacker could exploit this to cause system instability or a denial of service."], "name": "CVE-2026-31586", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31586\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31586\nhttps://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31586-3a32@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,115a5266749dcde7fe4127e8623d19c752088f69)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,dfc8292a1d6782c76b626315605e0585a5a18447)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,ea3af09eb87d8f8708c66747fcf1a2762902e839)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,50879a3c1faf06e661090015d59e2127255cff27)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,67cb119d32f35e32acd0393bbeb318b2bb1fdafe)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[59b57717fff8b562825d9d25e0180ad7e8048ca9,8f5857be99f1ed1fa80991c72449541f634626ee)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.136,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.83,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.24,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.14,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0.1,7.0.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:43:36.836870+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel that includes commit\u00a066672af7 or later", "If upgrading immediately is not possible, disable blk\u2011cgroup support or reduce block I/O activity that could trigger the work\u2011queue release, if distribution options allow", "Enable kernel hardening features such as KASAN or CONFIG_DEBUG_KERNEL to detect memory corruption early"], "summary": {"action": "Patch kernel", "impact": "Kernel memory corruption via use\u2011after\u2011free"}, "threat_synthesis": {"affected_systems": "The bug is present in any Linux kernel image that has not been updated to include the change in commit\u00a066672af7, which moves the blkcg_unpin_online() call before css_put(). All distributions shipping an unpatched kernel are potentially affected, regardless of vendor, as the flaw resides in the upstream kernel source. The patch is incorporated in the next\u2011generation kernel series.", "description_and_impact": "A use\u2011after\u2011free condition exists in the Linux kernel block\u2011cgroup work\u2011queue release path. When the CSS reference is released by css_put() before the blkcg_unpin_online() function accesses the blkcg structure, the blkcg object can be freed asynchronously, leading to a dereference of a stale pointer. The resulting memory corruption can manifest as a kernel panic or other unstable behavior. This weakness corresponds to CWE\u2011366 (Race Condition) and CWE\u2011416 (Use After Free).", "risk_and_exploitability": "The CVSS score of 7.8 reflects the potential for significant kernel compromise, while the EPSS score of\u00a0<1% indicates that exploitation is presently considered unlikely. The vulnerability has not been cataloged by CISA\u2019s KEV. The attack vector is not explicitly documented; based on the description, the likely attack vector involves manipulating block I/O operations or scheduling of work queues to induce the race window. The narrow timing requirement means that an adversary would need to precisely orchestrate the sequence of events, and no remote exploitation has been reported."}}}}, "created": "2026-04-27T19:00:15.679891+00:00", "updated": "2026-04-28T23:45:16.060825+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}