HIGH Published 2026-04-22

xfs AIL UAF

CVE-2026-31454

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.9MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local users with low privileges can trigger a use-after-free in XFS filesystem's Active Item List (AIL) handling via a race condition between AIL push callbacks and background reclaim or the dquot shrinker. This can lead to kernel memory corruption, information disclosure, or privilege escalation. The vulnerability occurs when the AIL lock is dropped for buffer I/O, allowing concurrent reclaim to free the log item before it is re-referenced.

AffectedXFS filesystem (fs/xfs/xfs_inode_item.c, fs/xfs/xfs_dquot_item.c)

Vulnerability analysis

The root cause is a race condition in XFS AIL push callbacks (xfs_inode_item_push() and xfs_qm_dquot_logitem_push()). The AIL lock is dropped to perform buffer I/O, creating a window where background inode reclaim or the dquot shrinker can free the log item (lip). When the code later attempts to reacquire the lock via spin_lock(&lip->li_ailp->ail_lock), it dereferences the freed structure, causing a use-after-free. The fix saves the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed valid, then uses the saved pointer for subsequent lock operations. Exploitation requires local access to perform filesystem operations on XFS and depends on winning a race with memory reclaim.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`edd1637d4e39`
5.15	5.15.203	`19437e4f7bb9`
6.1	6.1.168	`6dbe17f19c29`
6.12	6.12.80	`d8fc60bbaf5a`
6.18	6.18.21	`50f5f056807b`
6.19	6.19.11	`4c7d50147316`
6.6	6.6.131	`75669e987137`
mainline	7.0	`394d70b86fae`