Description
In the Linux kernel, the following vulnerability has been resolved:

writeback: Fix use after free in inode_switch_wbs_work_fn()

inode_switch_wbs_work_fn() has a loop like:

wb_get(new_wb);
while (1) {
list = llist_del_all(&new_wb->switch_wbs_ctxs);
/* Nothing to do? */
if (!list)
break;
... process the items ...
}

Now adding of items to the list looks like:

wb_queue_isw()
if (llist_add(&isw->list, &wb->switch_wbs_ctxs))
queue_work(isw_wq, &wb->switch_work);

Because inode_switch_wbs_work_fn() loops when processing isw items, it
can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is
empty. This is a problem because in that case wb can get freed (no isw
items -> no wb reference) while the work is still pending causing
use-after-free issues.

We cannot just fix this by cancelling work when freeing wb because that
could still trigger problematic 0 -> 1 transitions on wb refcount due to
wb_get() in inode_switch_wbs_work_fn(). It could be all handled with
more careful code but that seems unnecessarily complex so let's avoid
that until it is proven that the looping actually brings practical
benefit. Just remove the loop from inode_switch_wbs_work_fn() instead.
That way when wb_queue_isw() queues work, we are guaranteed we have
added the first item to wb->switch_wbs_ctxs and nobody is going to
remove it (and drop the wb reference it holds) until the queued work
runs.
Published: 2026-05-01
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s inode_switch_wbs_work_fn() loop could start work on a writeback structure after that structure had already been freed, creating a use‑after‑free scenario. A malicious local process could exploit this flaw to corrupt kernel memory, potentially gaining elevated privileges or executing arbitrary code in kernel mode, which could compromise system integrity.

Affected Systems

This vulnerability affects the Linux kernel. Specific affected kernel versions are not listed in the provided data; the fix is present in the latest stable kernel branches that incorporate the referenced commit.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity. A use‑after‑free in kernel space is normally considered high severity with a high probability of exploitation in a privileged or local context. The EPSS score is unavailable and the vulnerability is not currently in the CISA KEV catalog. Nevertheless, an attacker on the affected system could trigger the flaw by manipulating the writeback subsystem, so the risk is significant for each host that runs a kernel version without the patch.

Generated by OpenCVE AI on May 2, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the bug‑fix commit identified in the references.
  • Reboot the system so that the updated kernel is loaded and running.
  • If upgrading is not feasible, manually apply the patch from the referenced commit to the kernel source tree, rebuild, and install.

Generated by OpenCVE AI on May 2, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.
Title writeback: Fix use after free in inode_switch_wbs_work_fn()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:56:02.415Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31703

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.263

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31703

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31703 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:45:37Z

Weaknesses