Vulnerability-Lookup

CVE-2026-31586 (GCVE-0-2026-31586)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04

Title

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the pointer to access blkcg->online_pin, resulting in a use-after-free: BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385) Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385) ** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410") I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh (The race window is narrow. To make it easily reproducible, inject a msleep(100) between css_put() and blkcg_unpin_online() in cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.) Fix this by moving blkcg_unpin_online() before css_put(), so the cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() accesses it.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/115a5266749dcde7f…
	https://git.kernel.org/stable/c/dfc8292a1d6782c76…
	https://git.kernel.org/stable/c/ea3af09eb87d8f870…
	https://git.kernel.org/stable/c/50879a3c1faf06e66…
	https://git.kernel.org/stable/c/67cb119d32f35e32a…
	https://git.kernel.org/stable/c/8f5857be99f1ed1fa…

Impacted products

Vendor

Product

Version

Linux

Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 115a5266749dcde7fe4127e8623d19c752088f69 (git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < dfc8292a1d6782c76b626315605e0585a5a18447 (git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < ea3af09eb87d8f8708c66747fcf1a2762902e839 (git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 50879a3c1faf06e661090015d59e2127255cff27 (git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 67cb119d32f35e32acd0393bbeb318b2bb1fdafe (git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 8f5857be99f1ed1fa80991c72449541f634626ee (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 6.6.136 , ≤ 6.6.* (semver)
Unaffected: 6.12.83 , ≤ 6.12.* (semver)
Unaffected: 6.18.24 , ≤ 6.18.* (semver)
Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0.1 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/backing-dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "115a5266749dcde7fe4127e8623d19c752088f69",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            },
            {
              "lessThan": "dfc8292a1d6782c76b626315605e0585a5a18447",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            },
            {
              "lessThan": "ea3af09eb87d8f8708c66747fcf1a2762902e839",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            },
            {
              "lessThan": "50879a3c1faf06e661090015d59e2127255cff27",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            },
            {
              "lessThan": "67cb119d32f35e32acd0393bbeb318b2bb1fdafe",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            },
            {
              "lessThan": "8f5857be99f1ed1fa80991c72449541f634626ee",
              "status": "affected",
              "version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/backing-dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.136",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.83",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\nwb-\u003eblkcg_css again via blkcg_unpin_online().  If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\n\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n   Workqueue: cgwb_release cgwb_release_workfn\n   Call Trace:\n    \u003cTASK\u003e\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n     cgwb_release_workfn (mm/backing-dev.c:629)\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n   Freed by task 1016:\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions.  A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow.  To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:04:11.271Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"
        },
        {
          "url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"
        },
        {
          "url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"
        }
      ],
      "title": "mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31586",
    "datePublished": "2026-04-24T14:42:14.937Z",
    "dateReserved": "2026-03-09T15:48:24.120Z",
    "dateUpdated": "2026-04-27T14:04:11.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31586",
      "date": "2026-05-05",
      "epss": "0.00013",
      "percentile": "0.02396"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31586\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:33.393\",\"lastModified\":\"2026-04-28T20:45:58.570\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\\n\\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\\nwb-\u003eblkcg_css again via blkcg_unpin_online().  If css_put() drops the last\\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\\n\\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\\n   Workqueue: cgwb_release cgwb_release_workfn\\n   Call Trace:\\n    \u003cTASK\u003e\\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\\n     cgwb_release_workfn (mm/backing-dev.c:629)\\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\\n\\n   Freed by task 1016:\\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\\n\\n** Stack based on commit 66672af7a095 (\\\"Add linux-next specific files\\nfor 20260410\\\")\\n\\nI am seeing this crash sporadically in Meta fleet across multiple kernel\\nversions.  A full reproducer is available at:\\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\\n\\n(The race window is narrow.  To make it easily reproducible, inject a\\nmsleep(100) between css_put() and blkcg_unpin_online() in\\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\\nreproducer triggers the splat reliably in less than a second.)\\n\\nFix this by moving blkcg_unpin_online() before css_put(), so the\\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\\naccesses it.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19\",\"versionEndExcluding\":\"6.6.136\",\"matchCriteriaId\":\"C65C5FE4-6002-4BBA-98A9-87D1F99A643F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.83\",\"matchCriteriaId\":\"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.24\",\"matchCriteriaId\":\"8126B8B8-6D0B-4443-86C1-672AEE893555\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.14\",\"matchCriteriaId\":\"D6A8A074-BBF4-4803-ABED-519A839435BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.0.1\",\"matchCriteriaId\":\"9B5888AB-7403-4335-89E4-21CC0B48366A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}

MSRC_CVE-2026-31586

Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-05-01 14:43

Summary

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-31586

None Available There is no fix available for this vulnerability as of now

Vendor Fix 0:6.6.137.1-1.azl3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade https://learn.microsoft.com/en-us/azure/azure-lin…

References

URL

GHSA-X7Q8-XCW2-7MFG

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the pointer to access blkcg->online_pin, resulting in a use-after-free:

BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)

Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)

** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410")

I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh

(The race window is narrow. To make it easily reproducible, inject a msleep(100) between css_put() and blkcg_unpin_online() in cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.)

Fix this by moving blkcg_unpin_online() before css_put(), so the cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() accesses it.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-31586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:33Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\nwb-\u003eblkcg_css again via blkcg_unpin_online().  If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\n\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n   Workqueue: cgwb_release cgwb_release_workfn\n   Call Trace:\n    \u003cTASK\u003e\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n     cgwb_release_workfn (mm/backing-dev.c:629)\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n   Freed by task 1016:\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions.  A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow.  To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it.",
  "id": "GHSA-x7q8-xcw2-7mfg",
  "modified": "2026-04-27T15:30:45Z",
  "published": "2026-04-24T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31586"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CERTFR-2026-AVI-0526

Vulnerability from certfr_avis - Published: 2026-05-04 - Updated: 2026-05-04

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Microsoft	N/A	azl3 kernel versions antérieures à 6.6.137.1-1

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft CVE-2026-31629	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31639	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31694	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31662	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31651	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31661	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31671	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31656	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31595	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31700	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31430	2026-04-22	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31599	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31685	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31607	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31659	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31673	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31612	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31638	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31532	2026-04-24	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31625	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31586	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31649	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31676	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31684	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31657	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31431	2026-04-23	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31585	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31611	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31637	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31689	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31624	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31615	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31627	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31642	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31704	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31668	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31508	2026-04-30	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31578	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31696	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31587	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31577	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31711	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31626	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31670	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31583	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31618	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31708	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31588	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31658	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31705	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31669	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31623	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31622	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31603	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31594	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31721	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31660	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31628	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-43033	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31619	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31648	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31698	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31655	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31699	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31634	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31665	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31605	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31597	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31697	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31664	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31702	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31590	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31596	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31681	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31533	2026-05-01	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31610	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31667	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31604	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31672	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31646	2026-04-26	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "azl3 kernel versions ant\u00e9rieures \u00e0 6.6.137.1-1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-31623",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31623"
    },
    {
      "name": "CVE-2026-31619",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31619"
    },
    {
      "name": "CVE-2026-31658",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31658"
    },
    {
      "name": "CVE-2026-31618",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31618"
    },
    {
      "name": "CVE-2026-31578",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31578"
    },
    {
      "name": "CVE-2026-31696",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31696"
    },
    {
      "name": "CVE-2026-31704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31704"
    },
    {
      "name": "CVE-2026-31685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
    },
    {
      "name": "CVE-2026-31656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31656"
    },
    {
      "name": "CVE-2026-31698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31698"
    },
    {
      "name": "CVE-2026-31664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31664"
    },
    {
      "name": "CVE-2026-31597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31597"
    },
    {
      "name": "CVE-2026-31586",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31586"
    },
    {
      "name": "CVE-2026-31721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31721"
    },
    {
      "name": "CVE-2026-31655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31655"
    },
    {
      "name": "CVE-2026-31711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31711"
    },
    {
      "name": "CVE-2026-31611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31611"
    },
    {
      "name": "CVE-2026-31431",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
    },
    {
      "name": "CVE-2026-31599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31599"
    },
    {
      "name": "CVE-2026-31668",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31668"
    },
    {
      "name": "CVE-2026-31583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31583"
    },
    {
      "name": "CVE-2026-31605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31605"
    },
    {
      "name": "CVE-2026-31681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
    },
    {
      "name": "CVE-2026-43033",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
    },
    {
      "name": "CVE-2026-31622",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31622"
    },
    {
      "name": "CVE-2026-31595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31595"
    },
    {
      "name": "CVE-2026-31642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31642"
    },
    {
      "name": "CVE-2026-31659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31659"
    },
    {
      "name": "CVE-2026-31638",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31638"
    },
    {
      "name": "CVE-2026-31588",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31588"
    },
    {
      "name": "CVE-2026-31689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31689"
    },
    {
      "name": "CVE-2026-31697",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31697"
    },
    {
      "name": "CVE-2026-31670",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31670"
    },
    {
      "name": "CVE-2026-31533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
    },
    {
      "name": "CVE-2026-31615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31615"
    },
    {
      "name": "CVE-2026-31594",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31594"
    },
    {
      "name": "CVE-2026-31661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31661"
    },
    {
      "name": "CVE-2026-31705",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31705"
    },
    {
      "name": "CVE-2026-31684",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31684"
    },
    {
      "name": "CVE-2026-31625",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31625"
    },
    {
      "name": "CVE-2026-31669",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
    },
    {
      "name": "CVE-2026-31671",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
    },
    {
      "name": "CVE-2026-31694",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31694"
    },
    {
      "name": "CVE-2026-31699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31699"
    },
    {
      "name": "CVE-2026-31628",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31628"
    },
    {
      "name": "CVE-2026-31662",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31662"
    },
    {
      "name": "CVE-2026-31627",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31627"
    },
    {
      "name": "CVE-2026-31665",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31665"
    },
    {
      "name": "CVE-2026-31672",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31672"
    },
    {
      "name": "CVE-2026-31626",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31626"
    },
    {
      "name": "CVE-2026-31634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31634"
    },
    {
      "name": "CVE-2026-31610",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31610"
    },
    {
      "name": "CVE-2026-31648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31648"
    },
    {
      "name": "CVE-2026-31660",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31660"
    },
    {
      "name": "CVE-2026-31607",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
    },
    {
      "name": "CVE-2026-31637",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31637"
    },
    {
      "name": "CVE-2026-31612",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31612"
    },
    {
      "name": "CVE-2026-31590",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31590"
    },
    {
      "name": "CVE-2026-31604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31604"
    },
    {
      "name": "CVE-2026-31532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31532"
    },
    {
      "name": "CVE-2026-31430",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31430"
    },
    {
      "name": "CVE-2026-31596",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31596"
    },
    {
      "name": "CVE-2026-31676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31676"
    },
    {
      "name": "CVE-2026-31603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31603"
    },
    {
      "name": "CVE-2026-31649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
    },
    {
      "name": "CVE-2026-31577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31577"
    },
    {
      "name": "CVE-2026-31702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31702"
    },
    {
      "name": "CVE-2026-31587",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31587"
    },
    {
      "name": "CVE-2026-31708",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31708"
    },
    {
      "name": "CVE-2026-31651",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31651"
    },
    {
      "name": "CVE-2026-31657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31657"
    },
    {
      "name": "CVE-2026-31624",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31624"
    },
    {
      "name": "CVE-2026-31585",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31585"
    },
    {
      "name": "CVE-2026-31646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31646"
    },
    {
      "name": "CVE-2026-31700",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
    },
    {
      "name": "CVE-2026-31639",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31639"
    },
    {
      "name": "CVE-2026-31508",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31508"
    },
    {
      "name": "CVE-2026-31629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31629"
    },
    {
      "name": "CVE-2026-31673",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31673"
    },
    {
      "name": "CVE-2026-31667",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
    }
  ],
  "initial_release_date": "2026-05-04T00:00:00",
  "last_revision_date": "2026-05-04T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0526",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-05-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31629",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31629"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31639",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31639"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31694",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31694"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31662",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31662"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31651",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31651"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31661",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31661"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31671",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31671"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31656",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31656"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31595",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31595"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31700",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31700"
    },
    {
      "published_at": "2026-04-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31430",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31430"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31599",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31599"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31685",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31685"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31607",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31607"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31659",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31659"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31673",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31673"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31612",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31612"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31638",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31638"
    },
    {
      "published_at": "2026-04-24",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31532",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31532"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31625",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31625"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31586",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31586"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31649",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31649"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31676",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31676"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31684",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31684"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31657",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31657"
    },
    {
      "published_at": "2026-04-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31431",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31431"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31585",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31585"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31611",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31611"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31637",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31637"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31689",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31689"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31624",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31624"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31615",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31615"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31627",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31627"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31642",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31642"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31704",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31704"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31668",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31668"
    },
    {
      "published_at": "2026-04-30",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31508",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31508"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31578",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31578"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31696",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31696"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31587",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31587"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31577",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31577"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31711",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31711"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31626",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31626"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31670",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31670"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31583",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31583"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31618",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31618"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31708",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31708"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31588",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31588"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31658",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31658"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31705",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31705"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31669",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31669"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31623",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31623"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31622",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31622"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31603",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31603"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31594",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31594"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31721",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31721"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31660",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31660"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31628",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31628"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43033",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43033"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31619",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31619"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31648",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31648"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31698",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31698"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31655",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31655"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31699",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31699"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31634",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31634"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31665",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31665"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31605",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31605"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31597",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31597"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31697",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31697"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31664",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31664"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31702",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31702"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31590",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31590"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31596",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31596"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31681",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31681"
    },
    {
      "published_at": "2026-05-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31533",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31533"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31610",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31610"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31667",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31667"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31604",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31604"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31672",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31672"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31646",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31646"
    }
  ]
}

FKIE_CVE-2026-31586

Vulnerability from fkie_nvd - Published: 2026-04-24 15:16 - Updated: 2026-04-28 20:45

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839	Patch

Impacted products

Vendor	Product	Version
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C65C5FE4-6002-4BBA-98A9-87D1F99A643F",
              "versionEndExcluding": "6.6.136",
              "versionStartIncluding": "4.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8",
              "versionEndExcluding": "6.12.83",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555",
              "versionEndExcluding": "6.18.24",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB",
              "versionEndExcluding": "6.19.14",
              "versionStartIncluding": "6.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A",
              "versionEndExcluding": "7.0.1",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\nwb-\u003eblkcg_css again via blkcg_unpin_online().  If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\n\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n   Workqueue: cgwb_release cgwb_release_workfn\n   Call Trace:\n    \u003cTASK\u003e\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n     cgwb_release_workfn (mm/backing-dev.c:629)\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n   Freed by task 1016:\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions.  A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow.  To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."
    }
  ],
  "id": "CVE-2026-31586",
  "lastModified": "2026-04-28T20:45:58.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-24T15:16:33.393",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-31586 (GCVE-0-2026-31586)

MSRC_CVE-2026-31586

GHSA-X7Q8-XCW2-7MFG

CERTFR-2026-AVI-0526

Solutions

FKIE_CVE-2026-31586

Tags

Sightings

Nomenclature