Description
In the Linux kernel, the following vulnerability has been resolved:

erofs: fix use-after-free on sbi->sync_decompress

z_erofs_decompress_kickoff() can race with filesystem unmount, causing
a use-after-free on sbi->sync_decompress.

When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff()
to queue z_erofs_decompressqueue_work() asynchronously. Then, after all
folios are unlocked, unmount workflow can proceed and sbi will be freed
before accessing to sbi->sync_decompress.

Thread (unmount) I/O completion kworker
queue_work
z_erofs_decompressqueue_work
(all folios are unlocked)
cleanup_mnt
..
erofs_kill_sb
erofs_sb_free
kfree(sbi)
access sbi->sync_decompress // UAF!!
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the erofs decompression routine is scheduled to run after the file system is unmounted, resulting in a use‑after‑free of the superblock structure. This race condition enables an attacker who can trigger an unmount to cause kernel memory corruption, which in turn can be leveraged for arbitrary code execution at kernel privilege. The documented weakness is a classic example of a race condition that leads to use‑after‑free, aligning with CWE‑362.

Affected Systems

All configurations of the Linux kernel that compile with erofs support are susceptible. No specific kernel versions, so any release containing the erofs module prior to the referenced commit is potentially affected. The vulnerability is limited to systems that actually mount an erofs file system and have the ability to unmount it.

Risk and Exploitability

Because the flaw is triggered by the unmount sequence, an attacker must have the privilege to initiate an unmount, typically a local root or a user with sufficient rights to remount as unprivileged. No public exploit has been reported and the EPSS score is < 1%, while the CVSS score is 5.5, indicating moderate risk. The vulnerability is not listed in the CISA KEV catalog, indicating that it has not yet been widely leveraged in the wild. If the system runs untrusted code with authority to unmount the erofs file system it could lead to privilege escalation or a crash.

Generated by OpenCVE AI on June 30, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the erofs use‑after‑free patch, or apply the patch from the kernel commit references listed.
  • Schedule a reboot so that all erofs instances are cleanly unmounted and the new kernel image is active.
  • If erofs is not required, disable erofs support in the kernel configuration or unmount all erofs file systems before shutdown.
  • As an interim workaround, remount erofs file systems as read‑only if possible to reduce the window for the race condition.

Generated by OpenCVE AI on June 30, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Tue, 30 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: erofs: fix use-after-free on sbi->sync_decompress z_erofs_decompress_kickoff() can race with filesystem unmount, causing a use-after-free on sbi->sync_decompress. When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff() to queue z_erofs_decompressqueue_work() asynchronously. Then, after all folios are unlocked, unmount workflow can proceed and sbi will be freed before accessing to sbi->sync_decompress. Thread (unmount) I/O completion kworker queue_work z_erofs_decompressqueue_work (all folios are unlocked) cleanup_mnt .. erofs_kill_sb erofs_sb_free kfree(sbi) access sbi->sync_decompress // UAF!!
Title erofs: fix use-after-free on sbi->sync_decompress
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:57.147Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53272

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53272 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T03:30:05Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')