CVE Catalog

CVE-2026-53272

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

A use-after-free vulnerability was found in the Linux kernel's EROFS filesystem. The issue occurs when z_erofs_decompress_kickoff() is called asynchronously after I/O completion and can race with the filesystem unmount process, leading to access to already freed sbi structure memory.

Risk Assessment

An attacker could exploit this vulnerability to escalate privileges or cause a denial of service (DoS) by intentionally triggering a race condition between decompression operations and unmounting the EROFS filesystem.

Recommendation

Immediately update the Linux kernel to a version containing the fix that eliminates the race condition in z_erofs_decompress_kickoff() by properly protecting access to sbi->sync_decompress.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: erofs: fix use-after-free on sbi->sync_decompress z_erofs_decompress_kickoff() can race with filesystem unmount, causing a use-after-free on sbi->sync_decompress. When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff() to queue z_erofs_decompressqueue_work() asynchronously. Then, after all folios are unlocked, unmount workflow can proceed and sbi will be freed before accessing to sbi->sync_decompress. Thread (unmount) I/O completion kworker queue_work z_erofs_decompressqueue_work (all folios are unlocked) cleanup_mnt .. erofs_kill_sb erofs_sb_free kfree(sbi) access sbi->sync_decompress // UAF!!

Vulnerability data from NVD (NIST) · CISA KEV · EPSS