HIGH Published 2026-01-23

ublk PartitionScan UAF

CVE-2026-22995

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This use-after-free vulnerability in the ublk block driver could allow a local attacker with device access to cause system crashes or potentially execute arbitrary code. The race condition occurs during normal device operations when partition scanning and device teardown happen concurrently, making it a reliability and security concern for systems using ublk devices.

Affecteddrivers/block/ublk_drv.c

Vulnerability analysis

Root Cause: A race condition exists between the asynchronous partition scan worker (ublk_partition_scan_work) and device teardown (ublk_stop_dev). The teardown path calls del_gendisk(), sets ub->ub_disk to NULL via ublk_detach_disk(), and calls put_disk() which may free the disk structure. Meanwhile, the partition scan worker can still be running and attempts to dereference ub->ub_disk, leading to a use-after-free vulnerability.

Attack Surface: This is a local vulnerability requiring access to the ublk block device subsystem. An attacker would need the ability to create and manipulate ublk devices, which typically requires elevated privileges or specific device access permissions. The race condition can be triggered through normal device lifecycle operations (start/stop) making it potentially exploitable during legitimate device management.

Fix Mechanism: The fix implements proper reference counting by: 1) Moving the partition scan worker function to use ublk_get_disk()/ublk_put_disk() to hold a reference to the disk during the scan operation, 2) Adding spinlock synchronization in ublk_get_disk() with ublk_detach_disk() to ensure the worker either gets a valid reference or sees NULL and exits early, 3) Changing flush_work() to cancel_work_sync() in the teardown path to prevent unnecessary execution of the partition scan when the disk is already detached.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.6	`72e28774e964`