CVE-2026-23224— erofs: fix UAF issue for file-backed mounts w/ directio option
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23224
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
erofs: fix UAF issue for file-backed mounts w/ directio option
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+0x60/0x120 [ 9.270102][ T3222] filemap_fault+0xcac/0x1060 [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c [ 9.270142][ T3222] do_page_fault+0x178/0x88c [ 9.270167][ T3222] do_translation_fault+0x38/0x54 [ 9.270183][ T3222] do_mem_abort+0x54/0xac [ 9.270208][ T3222] el0_da+0x44/0x7c [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - z_erofs_read_folio wq s_dio_done_wq - z_erofs_runqueue - erofs_fileio_submit_bio - erofs_fileio_rq_submit - vfs_iocb_iter_read - ext4_file_read_iter - ext4_dio_read_iter - iomap_dio_rw : bio was submitted and return -EIOCBQUEUED - dio_aio_complete_work - dio_complete - dio->iocb->ki_complete (erofs_fileio_ki_complete()) - kfree(rq) : it frees iocb, iocb.ki_filp can be UAF in file_accessed(). - file_accessed : access NULL file point Introduce a reference count in struct erofs_fileio_rq, and initialize it as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will decrease reference count, the last one decreasing the reference count to zero will free rq.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于文件系统挂载时存在释放后重用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23224
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23224
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-02-18 · 31 CVEs total
| CVE-2026-23230 | 8.8 HIGH | smb: client: split cached_fid bitfields to avoid shared-byte RMW races |
| CVE-2026-23226 | 8.8 HIGH | ksmbd: add chann_lock to protect ksmbd_chann_list xarray |
| CVE-2026-23227 | 7.8 HIGH | drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to |
| CVE-2026-23225 | 7.8 HIGH | sched/mmcid: Don't assume CID is CPU owned on mode switch |
| CVE-2026-23222 | 7.8 HIGH | crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly |
| CVE-2025-71233 | PCI: endpoint: Avoid creating sub-groups asynchronously | |
| CVE-2026-23229 | crypto: virtio - Add spinlock protection with virtqueue notification | |
| CVE-2026-23228 | smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() | |
| CVE-2026-23223 | xfs: fix UAF in xchk_btree_check_block_owner | |
| CVE-2026-23221 | bus: fsl-mc: fix use-after-free in driver_override_show() | |
| CVE-2026-23220 | ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths | |
| CVE-2025-71237 | nilfs2: Fix potential block overflow that cause system hang | |
| CVE-2025-71236 | scsi: qla2xxx: Validate sp before freeing associated memory | |
| CVE-2025-71235 | scsi: qla2xxx: Delay module unload while fabric scan in progress | |
| CVE-2025-71234 | wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add | |
| CVE-2026-23211 | mm, swap: restore swap_space attr aviod kernel panic | |
| CVE-2025-71232 | scsi: qla2xxx: Free sp in error path to fix system crash | |
| CVE-2025-71231 | crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode | |
| CVE-2025-71230 | hfs: ensure sb->s_fs_info is always cleaned up | |
| CVE-2025-71229 | wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() |
Showing top 20 of 31 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2026-23224
No comments yet