Description
In the Linux kernel, the following vulnerability has been resolved:

xfs: stop reclaim before pushing AIL during unmount

The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while
background reclaim and inodegc are still running. This is broken
independently of any use-after-free issues - background reclaim and
inodegc should not be running while the AIL is being pushed during
unmount, as inodegc can dirty and insert inodes into the AIL during the
flush, and background reclaim can race to abort and free dirty inodes.

Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background
reclaim before pushing the AIL. Stop inodegc before cancelling
m_reclaim_work because the inodegc worker can re-queue m_reclaim_work
via xfs_inodegc_set_reclaimable.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the XFS unmount routine when the Allocated Inode List (AIL) is flushed while background reclaim and inode garbage collection are still active. The concurrent execution can cause dirty or newly inserted inodes to be freed or overwritten, leading to corrupted inode metadata and potentially a kernel crash, so the primary impact is data integrity loss or a kernel panic. This weakness involves both a race condition (CWE‑366) and a potential use‑after‑free scenario (CWE‑416) during the unmount process.

Affected Systems

The flaw is embedded in the Linux kernel’s XFS module. Any system running a kernel version before the patch that mounts an XFS filesystem and subsequently unmounts it is potentially affected. The exact vulnerable kernel version numbers are not listed, so all kernels preceding the fix are considered susceptible.

Risk and Exploitability

Only privileged or root users who can issue an unmount can trigger the race, so the attack surface is limited to system administrators or malicious processes with elevated rights. The CVSS score is 7.8, the EPSS score is below 1 %, and the vulnerability is not in CISA’s KEV catalogue, indicating a moderate to high likelihood of exploitation but an appreciable impact if triggered. The root cause is a race condition (CWE‑366) and a use‑after‑free scenario (CWE‑416) that can lead to denial of service or integrity failure when an XFS filesystem is unmounted during active background reclaim or inode garbage collection.

Generated by OpenCVE AI on May 5, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the XFS unmount race condition fix.
  • Reboot the system to load the updated kernel and ensure the fix takes effect.
  • If an immediate reboot is not feasible, schedule XFS unmounts during periods of low background reclaim or inode garbage collection activity and avoid unmounting while heavy background work is running.

Generated by OpenCVE AI on May 5, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes. Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling m_reclaim_work because the inodegc worker can re-queue m_reclaim_work via xfs_inodegc_set_reclaimable.
Title xfs: stop reclaim before pushing AIL during unmount
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:03.235Z

Reserved: 2026-03-09T15:48:24.092Z

Link: CVE-2026-31455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:40.013

Modified: 2026-05-05T21:11:27.460

Link: CVE-2026-31455

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:30:33Z

Weaknesses