Impact
The vulnerability resides in the Linux kernel’s mb_cache_destroy routine, where a pending shrink work item is invoked after the memory it references has been freed. Because the work item is not cancelled before the cache is released, the worker accesses freed memory, causing a use‑after‑free that can corrupt kernel structures, trigger a crash, or allow a malicious user with root or CAP_SYS_ADMIN privileges to gain higher privilege. The flaw is local, requiring the attacker to be able to initiate the final put of a mounted ext2, ext4, or ocfs2 filesystem.
Affected Systems
All Linux kernel builds that lack the cancel_work_sync insertion in mb_cache_destroy are affected. In practice, this includes any kernel version that still contains the original mb_cache_destroy implementation, such as the ext2, ext4, and ocfs2 filesystem drivers in earlier releases.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, which suggests no publicly disclosed exploits yet. However, the attack requires local root or CAP_SYS_ADMIN; an attacker with those privileges can trigger the race and achieve kernel corruption. The exploitation pathway is clear: a privileged process forces the final put operation of a mounted filesystem, causing mb_cache_destroy to run while a shrink work task remains scheduled.
OpenCVE Enrichment