Vulnerability-Lookup

CVE-2026-23224 (GCVE-0-2026-23224)

Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16

Title

erofs: fix UAF issue for file-backed mounts w/ directio option

Summary

In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+0x60/0x120 [ 9.270102][ T3222] filemap_fault+0xcac/0x1060 [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c [ 9.270142][ T3222] do_page_fault+0x178/0x88c [ 9.270167][ T3222] do_translation_fault+0x38/0x54 [ 9.270183][ T3222] do_mem_abort+0x54/0xac [ 9.270208][ T3222] el0_da+0x44/0x7c [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - z_erofs_read_folio wq s_dio_done_wq - z_erofs_runqueue - erofs_fileio_submit_bio - erofs_fileio_rq_submit - vfs_iocb_iter_read - ext4_file_read_iter - ext4_dio_read_iter - iomap_dio_rw : bio was submitted and return -EIOCBQUEUED - dio_aio_complete_work - dio_complete - dio->iocb->ki_complete (erofs_fileio_ki_complete()) - kfree(rq) : it frees iocb, iocb.ki_filp can be UAF in file_accessed(). - file_accessed : access NULL file point Introduce a reference count in struct erofs_fileio_rq, and initialize it as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will decrease reference count, the last one decreasing the reference count to zero will free rq.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ae385826840a3c8e0…
	https://git.kernel.org/stable/c/d741534302f71c511…
	https://git.kernel.org/stable/c/b2ee5e4d5446babd2…
	https://git.kernel.org/stable/c/1caf50ce4af096d02…

Impacted products

Vendor

Product

Version

Linux

Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < ae385826840a3c8e09bf38cac90adcd690716f57 (git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < d741534302f71c511eb0bb670b92eaa7df4a0aec (git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa (git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 1caf50ce4af096d0280d59a31abdd85703cd995c (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.72 , ≤ 6.12.* (semver)
Unaffected: 6.18.11 , ≤ 6.18.* (semver)
Unaffected: 6.19.1 , ≤ 6.19.* (semver)
Unaffected: 7.0-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/fileio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae385826840a3c8e09bf38cac90adcd690716f57",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            },
            {
              "lessThan": "d741534302f71c511eb0bb670b92eaa7df4a0aec",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            },
            {
              "lessThan": "b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            },
            {
              "lessThan": "1caf50ce4af096d0280d59a31abdd85703cd995c",
              "status": "affected",
              "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/fileio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.72",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.11",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0-rc1",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix UAF issue for file-backed mounts w/ directio option\n\n[    9.269940][ T3222] Call trace:\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\n[    9.270208][ T3222]  el0_da+0x44/0x7c\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\n\nEROFS may encounter above panic when enabling file-backed mount w/\ndirectio mount option, the root cause is it may suffer UAF in below\nrace condition:\n\n- z_erofs_read_folio                          wq s_dio_done_wq\n - z_erofs_runqueue\n  - erofs_fileio_submit_bio\n   - erofs_fileio_rq_submit\n    - vfs_iocb_iter_read\n     - ext4_file_read_iter\n      - ext4_dio_read_iter\n       - iomap_dio_rw\n       : bio was submitted and return -EIOCBQUEUED\n                                              - dio_aio_complete_work\n                                               - dio_complete\n                                                - dio-\u003eiocb-\u003eki_complete (erofs_fileio_ki_complete())\n                                                 - kfree(rq)\n                                                 : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\n       - file_accessed\n       : access NULL file point\n\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\ndecrease reference count, the last one decreasing the reference count\nto zero will free rq."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T03:16:31.463Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57"
        },
        {
          "url": "https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c"
        }
      ],
      "title": "erofs: fix UAF issue for file-backed mounts w/ directio option",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23224",
    "datePublished": "2026-02-18T14:53:27.462Z",
    "dateReserved": "2026-01-13T15:37:45.987Z",
    "dateUpdated": "2026-02-23T03:16:31.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23224\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-18T16:22:32.143\",\"lastModified\":\"2026-02-23T04:16:00.923\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nerofs: fix UAF issue for file-backed mounts w/ directio option\\n\\n[    9.269940][ T3222] Call trace:\\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\\n[    9.270208][ T3222]  el0_da+0x44/0x7c\\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\\n\\nEROFS may encounter above panic when enabling file-backed mount w/\\ndirectio mount option, the root cause is it may suffer UAF in below\\nrace condition:\\n\\n- z_erofs_read_folio                          wq s_dio_done_wq\\n - z_erofs_runqueue\\n  - erofs_fileio_submit_bio\\n   - erofs_fileio_rq_submit\\n    - vfs_iocb_iter_read\\n     - ext4_file_read_iter\\n      - ext4_dio_read_iter\\n       - iomap_dio_rw\\n       : bio was submitted and return -EIOCBQUEUED\\n                                              - dio_aio_complete_work\\n                                               - dio_complete\\n                                                - dio-\u003eiocb-\u003eki_complete (erofs_fileio_ki_complete())\\n                                                 - kfree(rq)\\n                                                 : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\\n       - file_accessed\\n       : access NULL file point\\n\\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\\ndecrease reference count, the last one decreasing the reference count\\nto zero will free rq.\"},{\"lang\":\"es\",\"value\":\"Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\\n\\nerofs: soluciona un problema de UAF para montajes respaldados por archivos con la opci\u00f3n \u0027directio\u0027\\n\\n[    9.269940][ T3222] Rastreo de llamadas:\\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\\n[    9.270208][ T3222]  el0_da+0x44/0x7c\\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\\n\\nEROFS puede encontrar el p\u00e1nico anterior al habilitar el montaje respaldado por archivos con la opci\u00f3n de montaje directio; la causa ra\u00edz es que puede sufrir UAF en la siguiente condici\u00f3n de carrera:\\n\\n- z_erofs_read_folio                          wq s_dio_done_wq\\n - z_erofs_runqueue\\n  - erofs_fileio_submit_bio\\n   - erofs_fileio_rq_submit\\n    - vfs_iocb_iter_read\\n     - ext4_file_read_iter\\n      - ext4_dio_read_iter\\n       - iomap_dio_rw\\n       : bio fue enviado y devuelve -EIOCBQUEUED\\n                                              - dio_aio_complete_work\\n                                               - dio_complete\\n                                                - dio-\u0026gt;iocb-\u0026gt;ki_complete (erofs_fileio_ki_complete())\\n                                                 - kfree(rq)\\n                                                 : libera iocb, iocb.ki_filp puede ser UAF en file_accessed().\\n       - file_accessed\\n       : accede a un puntero de archivo NULL\\n\\nIntroducir un contador de referencias en la estructura erofs_fileio_rq, y lo inicializa a dos; tanto erofs_fileio_ki_complete() como erofs_fileio_rq_submit() disminuir\u00e1n el contador de referencias, el \u00faltimo en disminuir el contador de referencias a cero liberar\u00e1 rq.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

FKIE_CVE-2026-23224

Vulnerability from fkie_nvd - Published: 2026-02-18 16:22 - Updated: 2026-02-23 04:16

Severity ?

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix UAF issue for file-backed mounts w/ directio option\n\n[    9.269940][ T3222] Call trace:\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\n[    9.270208][ T3222]  el0_da+0x44/0x7c\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\n\nEROFS may encounter above panic when enabling file-backed mount w/\ndirectio mount option, the root cause is it may suffer UAF in below\nrace condition:\n\n- z_erofs_read_folio                          wq s_dio_done_wq\n - z_erofs_runqueue\n  - erofs_fileio_submit_bio\n   - erofs_fileio_rq_submit\n    - vfs_iocb_iter_read\n     - ext4_file_read_iter\n      - ext4_dio_read_iter\n       - iomap_dio_rw\n       : bio was submitted and return -EIOCBQUEUED\n                                              - dio_aio_complete_work\n                                               - dio_complete\n                                                - dio-\u003eiocb-\u003eki_complete (erofs_fileio_ki_complete())\n                                                 - kfree(rq)\n                                                 : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\n       - file_accessed\n       : access NULL file point\n\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\ndecrease reference count, the last one decreasing the reference count\nto zero will free rq."
    },
    {
      "lang": "es",
      "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nerofs: soluciona un problema de UAF para montajes respaldados por archivos con la opci\u00f3n \u0027directio\u0027\n\n[    9.269940][ T3222] Rastreo de llamadas:\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\n[    9.270208][ T3222]  el0_da+0x44/0x7c\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\n\nEROFS puede encontrar el p\u00e1nico anterior al habilitar el montaje respaldado por archivos con la opci\u00f3n de montaje directio; la causa ra\u00edz es que puede sufrir UAF en la siguiente condici\u00f3n de carrera:\n\n- z_erofs_read_folio                          wq s_dio_done_wq\n - z_erofs_runqueue\n  - erofs_fileio_submit_bio\n   - erofs_fileio_rq_submit\n    - vfs_iocb_iter_read\n     - ext4_file_read_iter\n      - ext4_dio_read_iter\n       - iomap_dio_rw\n       : bio fue enviado y devuelve -EIOCBQUEUED\n                                              - dio_aio_complete_work\n                                               - dio_complete\n                                                - dio-\u0026gt;iocb-\u0026gt;ki_complete (erofs_fileio_ki_complete())\n                                                 - kfree(rq)\n                                                 : libera iocb, iocb.ki_filp puede ser UAF en file_accessed().\n       - file_accessed\n       : accede a un puntero de archivo NULL\n\nIntroducir un contador de referencias en la estructura erofs_fileio_rq, y lo inicializa a dos; tanto erofs_fileio_ki_complete() como erofs_fileio_rq_submit() disminuir\u00e1n el contador de referencias, el \u00faltimo en disminuir el contador de referencias a cero liberar\u00e1 rq."
    }
  ],
  "id": "CVE-2026-23224",
  "lastModified": "2026-02-23T04:16:00.923",
  "metrics": {},
  "published": "2026-02-18T16:22:32.143",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

CERTFR-2026-AVI-0192

Vulnerability from certfr_avis - Published: 2026-02-20 - Updated: 2026-02-20

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian trixie versions antérieures à 6.12.73-1

References

Title

Publication Time

Tags

Bulletin de sécurité Debian DSA-6141-1

2026-02-18

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Debian trixie versions ant\u00e9rieures \u00e0 6.12.73-1",
      "product": {
        "name": "Debian",
        "vendor": {
          "name": "Debian",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-23198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23198"
    },
    {
      "name": "CVE-2026-23202",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23202"
    },
    {
      "name": "CVE-2026-23219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23219"
    },
    {
      "name": "CVE-2026-23199",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23199"
    },
    {
      "name": "CVE-2026-23220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23220"
    },
    {
      "name": "CVE-2025-71223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71223"
    },
    {
      "name": "CVE-2026-23187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23187"
    },
    {
      "name": "CVE-2026-23179",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23179"
    },
    {
      "name": "CVE-2026-23222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23222"
    },
    {
      "name": "CVE-2026-23229",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23229"
    },
    {
      "name": "CVE-2026-23209",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
    },
    {
      "name": "CVE-2025-40082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-40082"
    },
    {
      "name": "CVE-2025-71235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71235"
    },
    {
      "name": "CVE-2026-23204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
    },
    {
      "name": "CVE-2026-23230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23230"
    },
    {
      "name": "CVE-2026-23214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23214"
    },
    {
      "name": "CVE-2026-23178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23178"
    },
    {
      "name": "CVE-2026-23228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23228"
    },
    {
      "name": "CVE-2026-23223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23223"
    },
    {
      "name": "CVE-2026-23191",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
    },
    {
      "name": "CVE-2026-23169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23169"
    },
    {
      "name": "CVE-2026-23177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23177"
    },
    {
      "name": "CVE-2025-71220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71220"
    },
    {
      "name": "CVE-2026-23201",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23201"
    },
    {
      "name": "CVE-2026-23180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23180"
    },
    {
      "name": "CVE-2026-23200",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23200"
    },
    {
      "name": "CVE-2026-23216",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
    },
    {
      "name": "CVE-2025-71225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71225"
    },
    {
      "name": "CVE-2026-23176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23176"
    },
    {
      "name": "CVE-2025-71203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71203"
    },
    {
      "name": "CVE-2026-23188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23188"
    },
    {
      "name": "CVE-2025-71228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71228"
    },
    {
      "name": "CVE-2025-71224",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71224"
    },
    {
      "name": "CVE-2026-23193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23193"
    },
    {
      "name": "CVE-2025-71237",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71237"
    },
    {
      "name": "CVE-2026-23215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23215"
    },
    {
      "name": "CVE-2026-23205",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23205"
    },
    {
      "name": "CVE-2025-71222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71222"
    },
    {
      "name": "CVE-2025-71229",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71229"
    },
    {
      "name": "CVE-2026-23213",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23213"
    },
    {
      "name": "CVE-2025-71236",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71236"
    },
    {
      "name": "CVE-2025-71234",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71234"
    },
    {
      "name": "CVE-2025-71232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71232"
    },
    {
      "name": "CVE-2025-71204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71204"
    },
    {
      "name": "CVE-2026-23182",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23182"
    },
    {
      "name": "CVE-2026-23206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23206"
    },
    {
      "name": "CVE-2025-68823",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-68823"
    },
    {
      "name": "CVE-2026-23112",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23112"
    },
    {
      "name": "CVE-2026-23190",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23190"
    },
    {
      "name": "CVE-2025-71233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71233"
    },
    {
      "name": "CVE-2026-23224",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23224"
    },
    {
      "name": "CVE-2026-23189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23189"
    },
    {
      "name": "CVE-2026-23111",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23111"
    },
    {
      "name": "CVE-2025-71231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-71231"
    }
  ],
  "initial_release_date": "2026-02-20T00:00:00",
  "last_revision_date": "2026-02-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0192",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-02-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian",
  "vendor_advisories": [
    {
      "published_at": "2026-02-18",
      "title": "Bulletin de s\u00e9curit\u00e9 Debian DSA-6141-1",
      "url": "https://lists.debian.org/debian-security-announce/2026/msg00050.html"
    }
  ]
}

GHSA-8J5G-3Q2R-XFJH

Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-02-23 06:30

Details

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix UAF issue for file-backed mounts w/ directio option

[ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+0x60/0x120 [ 9.270102][ T3222] filemap_fault+0xcac/0x1060 [ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 [ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c [ 9.270142][ T3222] do_page_fault+0x178/0x88c [ 9.270167][ T3222] do_translation_fault+0x38/0x54 [ 9.270183][ T3222] do_mem_abort+0x54/0xac [ 9.270208][ T3222] el0_da+0x44/0x7c [ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 [ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0

EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition:

z_erofs_read_folio wq s_dio_done_wq
z_erofs_runqueue
erofs_fileio_submit_bio
erofs_fileio_rq_submit
- vfs_iocb_iter_read
- ext4_file_read_iter
- ext4_dio_read_iter
- iomap_dio_rw : bio was submitted and return -EIOCBQUEUED - dio_aio_complete_work - dio_complete - dio->iocb->ki_complete (erofs_fileio_ki_complete()) - kfree(rq) : it frees iocb, iocb.ki_filp can be UAF in file_accessed().
- file_accessed : access NULL file point

Introduce a reference count in struct erofs_fileio_rq, and initialize it as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will decrease reference count, the last one decreasing the reference count to zero will free rq.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-23224"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T16:22:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix UAF issue for file-backed mounts w/ directio option\n\n[    9.269940][ T3222] Call trace:\n[    9.269948][ T3222]  ext4_file_read_iter+0xac/0x108\n[    9.269979][ T3222]  vfs_iocb_iter_read+0xac/0x198\n[    9.269993][ T3222]  erofs_fileio_rq_submit+0x12c/0x180\n[    9.270008][ T3222]  erofs_fileio_submit_bio+0x14/0x24\n[    9.270030][ T3222]  z_erofs_runqueue+0x834/0x8ac\n[    9.270054][ T3222]  z_erofs_read_folio+0x120/0x220\n[    9.270083][ T3222]  filemap_read_folio+0x60/0x120\n[    9.270102][ T3222]  filemap_fault+0xcac/0x1060\n[    9.270119][ T3222]  do_pte_missing+0x2d8/0x1554\n[    9.270131][ T3222]  handle_mm_fault+0x5ec/0x70c\n[    9.270142][ T3222]  do_page_fault+0x178/0x88c\n[    9.270167][ T3222]  do_translation_fault+0x38/0x54\n[    9.270183][ T3222]  do_mem_abort+0x54/0xac\n[    9.270208][ T3222]  el0_da+0x44/0x7c\n[    9.270227][ T3222]  el0t_64_sync_handler+0x5c/0xf4\n[    9.270253][ T3222]  el0t_64_sync+0x1bc/0x1c0\n\nEROFS may encounter above panic when enabling file-backed mount w/\ndirectio mount option, the root cause is it may suffer UAF in below\nrace condition:\n\n- z_erofs_read_folio                          wq s_dio_done_wq\n - z_erofs_runqueue\n  - erofs_fileio_submit_bio\n   - erofs_fileio_rq_submit\n    - vfs_iocb_iter_read\n     - ext4_file_read_iter\n      - ext4_dio_read_iter\n       - iomap_dio_rw\n       : bio was submitted and return -EIOCBQUEUED\n                                              - dio_aio_complete_work\n                                               - dio_complete\n                                                - dio-\u003eiocb-\u003eki_complete (erofs_fileio_ki_complete())\n                                                 - kfree(rq)\n                                                 : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\n       - file_accessed\n       : access NULL file point\n\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\ndecrease reference count, the last one decreasing the reference count\nto zero will free rq.",
  "id": "GHSA-8j5g-3q2r-xfjh",
  "modified": "2026-02-23T06:30:18Z",
  "published": "2026-02-18T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23224"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-23224 (GCVE-0-2026-23224)

FKIE_CVE-2026-23224

CERTFR-2026-AVI-0192

Solutions

GHSA-8J5G-3Q2R-XFJH

Tags

Sightings

Nomenclature