Description
In the Linux kernel, the following vulnerability has been resolved:

xfs: avoid dereferencing log items after push callbacks

After xfsaild_push_item() calls iop_push(), the log item may have been
freed if the AIL lock was dropped during the push. Background inode
reclaim or the dquot shrinker can free the log item while the AIL lock
is not held, and the tracepoints in the switch statement dereference
the log item after iop_push() returns.

Fix this by capturing the log item type, flags, and LSN before calling
xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
event class that takes these pre-captured values and the ailp pointer
instead of the log item pointer.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An in‑kernel use‑after‑free occurs in the XFS logging path when the background inode reclaim or dquot shrinker frees a log item while the AIL lock is not held. The tracepoints later dereference the freed pointer, which can corrupt kernel memory or cause a kernel crash. The flaw is captured by CWE‑476 (Use‑After‑Free) and CWE‑825 (Improper Verification of Logical Conditions).

Affected Systems

Any Linux kernel build that contains the vulnerable XFS logging code before the commit referenced in the provided git log identifiers. Exact version numbers are not supplied in the data, so any kernel earlier than the patch commits is potentially affected.

Risk and Exploitability

The CVSS score of 7.8 places the vulnerability in the high‑severity range. The EPSS score is reported as less than 1 %, indicating a low but non‑zero probability of exploitation. Because the flaw is triggered by normal filesystem operations that invoke background reclaim or shrinker processes, it can be exercised by users with access to an affected XFS volume. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 6, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the XFS logging fix (commit 451c6329d9afa45862c36fe6677eb7750db60617 or newer).
  • If an immediate kernel upgrade is not possible, isolate critical XFS volumes from demanding workloads and monitor system logs for kernel crashes; no reliable temporary workaround exists.
  • For custom or older kernel builds, apply the upstream patch manually or request a vendor‑provided patched kernel version.

Generated by OpenCVE AI on May 6, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.
Title xfs: avoid dereferencing log items after push callbacks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:00.290Z

Reserved: 2026-03-09T15:48:24.091Z

Link: CVE-2026-31453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:39.653

Modified: 2026-05-06T19:17:21.167

Link: CVE-2026-31453

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:15:13Z

Weaknesses