Description
In the Linux kernel, the following vulnerability has been resolved:

ublk: fix use-after-free in ublk_partition_scan_work

A race condition exists between the async partition scan work and device
teardown that can lead to a use-after-free of ub->ub_disk:

1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()
2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:
- del_gendisk(ub->ub_disk)
- ublk_detach_disk() sets ub->ub_disk = NULL
- put_disk() which may free the disk
3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk
leading to UAF

Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold
a reference to the disk during the partition scan. The spinlock in
ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker
either gets a valid reference or sees NULL and exits early.

Also change flush_work() to cancel_work_sync() to avoid running the
partition scan work unnecessarily when the disk is already detached.
Published: 2026-01-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free leading to possible kernel crash or code execution
Action: Update Kernel
AI Analysis

Impact

The race condition between asynchronous partition‑scan work and device teardown in the Linux kernel’s ublk subsystem results in a use‑after‑free of the ub_disk pointer. This memory corruption flaw (CWE‑416) can cause a kernel fault, system crash, or, in a rare case, execution of arbitrary code with kernel privileges.

Affected Systems

The flaw exists in the Linux kernel’s ublk component. All kernel releases that include the race, notably 6.19‑rc4 and earlier, are affected. System‑level or kernel‑level updates that incorporate the patch resolve the issue.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, while the EPSS score is below 1 %, indicating a low current probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is inference: a local or privileged user could trigger a ublk device partition scan while simultaneously tearing down the device, which leads to the race and the subsequent use‑after‑free. This inference is based on the race description rather than explicit attack details.

Generated by OpenCVE AI on April 18, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the ublk use‑after‑free fix.
  • If an immediate kernel upgrade is not possible, disable or remove the ublk subsystem (e.g., by setting CONFIG_BLK_DEV_UBLK to n) to eliminate the race condition.
  • For custom kernel modules or drivers that interact with ublk, review and modify them to use ublk_get_disk()/ublk_put_disk() patterns to avoid dangling references.

Generated by OpenCVE AI on April 18, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.
Title ublk: fix use-after-free in ublk_partition_scan_work
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:46.675Z

Reserved: 2026-01-13T15:37:45.938Z

Link: CVE-2026-22995

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:55.603

Modified: 2026-02-26T17:13:33.407

Link: CVE-2026-22995

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22995 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses