Description
In the Linux kernel, the following vulnerability has been resolved:

fs/mbcache: cancel shrink work before destroying the cache

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s mb_cache_destroy routine, where a pending shrink work item is invoked after the memory it references has been freed. Because the work item is not cancelled before the cache is released, the worker accesses freed memory, causing a use‑after‑free that can corrupt kernel structures, trigger a crash, or allow a malicious user with root or CAP_SYS_ADMIN privileges to gain higher privilege. The flaw is local, requiring the attacker to be able to initiate the final put of a mounted ext2, ext4, or ocfs2 filesystem.

Affected Systems

All Linux kernel builds that lack the cancel_work_sync insertion in mb_cache_destroy are affected. In practice, this includes any kernel version that still contains the original mb_cache_destroy implementation, such as the ext2, ext4, and ocfs2 filesystem drivers in earlier releases.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, which suggests no publicly disclosed exploits yet. However, the attack requires local root or CAP_SYS_ADMIN; an attacker with those privileges can trigger the race and achieve kernel corruption. The exploitation pathway is clear: a privileged process forces the final put operation of a mounted filesystem, causing mb_cache_destroy to run while a shrink work task remains scheduled.

Generated by OpenCVE AI on June 25, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates commit 0e4eff3, which adds cancel_work_sync before freeing the cache.
  • Reboot the system after updating the kernel so that any residual shrink work items are cleared.
  • Limit root and CAP_SYS_ADMIN privileges to trusted administrators to reduce the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
Title fs/mbcache: cancel shrink work before destroying the cache
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:56.562Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53129

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53129 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:00:12Z

Weaknesses