Description
In the Linux kernel, the following vulnerability has been resolved:

xfs: save ailp before dropping the AIL lock in push callbacks

In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
is dropped to perform buffer IO. Once the cluster buffer no longer
protects the log item from reclaim, the log item may be freed by
background reclaim or the dquot shrinker. The subsequent spin_lock()
call dereferences lip->li_ailp, which is a use-after-free.

Fix this by saving the ailp pointer in a local variable while the AIL
lock is held and the log item is guaranteed to be valid.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is released in order to perform buffer I/O. If the log item that was protected by the lock is reclaimed by background processes such as the reclaim thread or the dquot shrinker, it can be freed while a subsequent spin_lock() call later attempts to access lip->li_ailp. This dereferences a freed pointer, creating a classic use‑after‑free error that can corrupt kernel memory, result in a kernel panic, or allow an attacker to execute arbitrary code with ring‑0 privileges.

Affected Systems

All Linux kernel releases that include the XFS filesystem and contain the buggy push callback functions before the fix. The issue is addressed by kernel commit 19437e4f7bb909afde832b39372aa2f3ce3cfd88 and any later commits that incorporate it. Linux kernel users on earlier versions are vulnerable.

Risk and Exploitability

The CVSS score of 7.8 classifies this flaw as high severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly documented exploitation has been reported. The likely attack vector is local; an attacker would need the ability to write to an XFS filesystem to trigger the race between the AIL lock release and the background reclaim, potentially leading to a kernel panic or privilege escalation.

Generated by OpenCVE AI on May 6, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the XFS commit 19437e4f7bb909afde832b39372aa2f3ce3cfd88 or later.
  • Reboot the system to load the updated kernel.
  • Monitor kernel mailing lists, vendor advisories, or patch‑management systems to ensure the kernel remains current with this and related security fixes.

Generated by OpenCVE AI on May 6, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid.
Title xfs: save ailp before dropping the AIL lock in push callbacks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:01.897Z

Reserved: 2026-03-09T15:48:24.091Z

Link: CVE-2026-31454

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:39.823

Modified: 2026-05-06T19:42:56.250

Link: CVE-2026-31454

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31454 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:15:13Z

Weaknesses