CVE-2026-31580 - Vulnerability Details

- bcache: fix cached_dev.sb_bio use-after-free and crash

Description

In the Linux kernel, the following vulnerability has been resolved:

bcache: fix cached_dev.sb_bio use-after-free and crash

In our production environment, we have received multiple crash reports
regarding libceph, which have caught our attention:

```
[6888366.280350] Call Trace:
[6888366.280452] blk_update_request+0x14e/0x370
[6888366.280561] blk_mq_end_request+0x1a/0x130
[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]
[6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]
[6888366.280903] __complete_request+0x22/0x70 [libceph]
[6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]
[6888366.281164] ? inet_recvmsg+0x5b/0xd0
[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]
[6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]
[6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]
[6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]
```

After analyzing the coredump file, we found that the address of
dc->sb_bio has been freed. We know that cached_dev is only freed when it
is stopped.

Since sb_bio is a part of struct cached_dev, rather than an alloc every
time. If the device is stopped while writing to the superblock, the
released address will be accessed at endio.

This patch hopes to wait for sb_write to complete in cached_dev_free.

It should be noted that we analyzed the cause of the problem, then tell
all details to the QWEN and adopted the modifications it made.

Published: 2026-04-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free condition (CWE‑416, CWE‑367) in the bcache subsystem of the Linux kernel. When a bcache device is stopped while a superblock write is in progress, the cached_dev.sb_bio pointer is freed but later accessed during the I/O completion callback. The resulting memory corruption causes a kernel crash, which can terminate critical services.

Affected Systems

All Linux kernel implementations that include the bcache module and are running versions prior to the patch that introduced the safe free logic are affected. Both vendor and community kernels are susceptible, as the CNA list identifies the product simply as "Linux: Linux" and no specific version range is provided. Users of bcache on any recent kernel should verify whether the applied kernel contains the commit referenced in the advisory.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity for instability. The EPSS score is reported as less than 1%, signalling that the probability of exploitation is low at this time and the vulnerability is not currently included in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is local, requiring the ability to stop a bcache device that is actively writing data. An attacker with local system access could attempt to trigger the crash, causing a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< 47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< add4982510f3b7c318a2dd7438bdc9c63171e753
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< 2d6965581e164fa2ba3f7652ddae5535f6336576
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< 4f71c8ba2dc009042493021d94a9718fbe2ebf27
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< 383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9
`cafe563591446cf80bfbc2fe3bc72a2e36cf1060`	affected	< fec114a98b8735ee89c75216c45a78e28be0f128

Linux

affected

Version	Status	Constraints
`3.10`	affected	—
`0`	unaffected	< 3.10
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1)`	affected	code_commit	—
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,add4982510f3b7c318a2dd7438bdc9c63171e753)`	affected	code_commit	—
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,2d6965581e164fa2ba3f7652ddae5535f6336576)`	affected	code_commit	—
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,4f71c8ba2dc009042493021d94a9718fbe2ebf27)`	affected	code_commit	—
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9)`	affected	code_commit	—
`[cafe563591446cf80bfbc2fe3bc72a2e36cf1060,fec114a98b8735ee89c75216c45a78e28be0f128)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.10`	affected	generic	—
`[0,3.10)`	unaffected	generic	—
`[6.6.136,7.0.0)`	unaffected	semver	—
`[6.12.83,7.0.0)`	unaffected	semver	—
`[7.0.1,8.0.0)`	unaffected	semver	—
`[6.18.24,7.0.0)`	unaffected	semver	—
`[6.19.14,7.0.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the bcache use‑after‑free fix (e.g., the patch series referenced in the advisory).
If an immediate kernel upgrade is not possible, unload or disable the bcache module and refrain from booting it into the running system.
Monitor system logs for occurrences of kernel panics or unexpected I/O failures, and enforce stricter device access controls to limit who can manipulate bcache devices.

Generated by OpenCVE AI on April 28, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576
https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9
https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1
https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27
https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753
https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128
https://lore.kernel.org/linux-cve-announce/2026042411-CVE-2026-31580-7d94@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31580
https://www.cve.org/CVERecord?id=CVE-2026-31580

History

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026042411-CVE-2026-31580-7d94@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31580 https://www.cve.org/CVERecord?id=CVE-2026-31580

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.
Title		bcache: fix cached_dev.sb_bio use-after-free and crash
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576 https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9 https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27 https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:10.874Z

Updated: 2026-05-11T22:11:32.506Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31580

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.683

Modified: 2026-04-27T20:29:15.333

Link: CVE-2026-31580

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31580 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object