Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53129— fs/mbcache: cancel shrink work before destroying the cache

AI Predicted 6.5 Difficulty: Moderate EPSS 0.16% · P5

Affected Version Matrix 10

VendorProductVersion RangeStatus
LinuxLinuxc2f3140fe2eceb3a6c1615b2648b9471544881c6< a88d39a74a208e197c03bffaa2df34de732af19faffected
c2f3140fe2eceb3a6c1615b2648b9471544881c6< 0e4eff315d799f5842b95872199b0f0fb8ef5f51affected
c2f3140fe2eceb3a6c1615b2648b9471544881c6< b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4caffected
c2f3140fe2eceb3a6c1615b2648b9471544881c6< d227786ab1119669df4dc333a61510c52047cce4affected
4.6affected
< 4.6unaffected
6.12.91≤ 6.12.*unaffected
6.18.33≤ 6.18.*unaffected
… +2 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53129

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
fs/mbcache: cancel shrink work before destroying the cache
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 4.6版本存在安全漏洞,该漏洞源于fs/mbcache中在销毁缓存前未取消收缩工作,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux c2f3140fe2eceb3a6c1615b2648b9471544881c6 ~ a88d39a74a208e197c03bffaa2df34de732af19f -
LinuxLinux 4.6 -

II. Public POCs for CVE-2026-53129

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53129

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53129 (4)

Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total

CVE-2026-530889.8 CRITICALnet: bcmgenet: fix off-by-one in bcmgenet_put_txcb
CVE-2026-529939.8 CRITICALtipc: fix double-free in tipc_buf_append()
CVE-2026-529899.8 CRITICALnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
CVE-2026-529869.8 CRITICALnetfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-529829.8 CRITICALnet: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-530029.8 CRITICALnetfilter: conntrack: remove sprintf usage
CVE-2026-530069.8 CRITICALipv6: fix possible UAF in icmpv6_rcv()
CVE-2026-530459.8 CRITICALmemory: tegra124-emc: Fix dll_change check
CVE-2026-530869.8 CRITICALnet: bcmgenet: fix racing timeout handler
CVE-2026-530469.8 CRITICALksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
CVE-2026-529559.8 CRITICALlibceph: Fix potential out-of-bounds access in crush_decode()
CVE-2026-530499.8 CRITICALgfs2: add some missing log locking
CVE-2026-530559.8 CRITICALcrypto: hisilicon/sec2 - prevent req used-after-free for sec
CVE-2026-529249.8 CRITICALsctp: purge outqueue on stale COOKIE-ECHO handling
CVE-2026-530109.8 CRITICALksmbd: fix use-after-free in smb2_open during durable reconnect
CVE-2026-529319.8 CRITICALbatman-adv: tp_meter: avoid use of uninit sender vars
CVE-2026-529149.8 CRITICALbatman-adv: fix fragment reassembly length accounting
CVE-2026-529589.1 CRITICALlibceph: Fix potential out-of-bounds access in osdmap_decode()
CVE-2026-529999.1 CRITICALnetfilter: nfnetlink_osf: fix out-of-bounds read on option matching
CVE-2026-530439.1 CRITICALocfs2/dlm: validate qr_numregions in dlm_match_regions()

Showing top 20 of 219 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53129

No comments yet


Leave a comment