Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-23224

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
18/02/2026
Last modified:
02/04/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix UAF issue for file-backed mounts w/ directio option<br /> <br /> [ 9.269940][ T3222] Call trace:<br /> [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108<br /> [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198<br /> [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180<br /> [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24<br /> [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac<br /> [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220<br /> [ 9.270083][ T3222] filemap_read_folio+0x60/0x120<br /> [ 9.270102][ T3222] filemap_fault+0xcac/0x1060<br /> [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554<br /> [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c<br /> [ 9.270142][ T3222] do_page_fault+0x178/0x88c<br /> [ 9.270167][ T3222] do_translation_fault+0x38/0x54<br /> [ 9.270183][ T3222] do_mem_abort+0x54/0xac<br /> [ 9.270208][ T3222] el0_da+0x44/0x7c<br /> [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4<br /> [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0<br /> <br /> EROFS may encounter above panic when enabling file-backed mount w/<br /> directio mount option, the root cause is it may suffer UAF in below<br /> race condition:<br /> <br /> - z_erofs_read_folio wq s_dio_done_wq<br /> - z_erofs_runqueue<br /> - erofs_fileio_submit_bio<br /> - erofs_fileio_rq_submit<br /> - vfs_iocb_iter_read<br /> - ext4_file_read_iter<br /> - ext4_dio_read_iter<br /> - iomap_dio_rw<br /> : bio was submitted and return -EIOCBQUEUED<br /> - dio_aio_complete_work<br /> - dio_complete<br /> - dio-&gt;iocb-&gt;ki_complete (erofs_fileio_ki_complete())<br /> - kfree(rq)<br /> : it frees iocb, iocb.ki_filp can be UAF in file_accessed().<br /> - file_accessed<br /> : access NULL file point<br /> <br /> Introduce a reference count in struct erofs_fileio_rq, and initialize it<br /> as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will<br /> decrease reference count, the last one decreasing the reference count<br /> to zero will free rq.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.72 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools