High

Use-after-free in Linux kernel blk-cgroup cgwb_release_workfn()

IdentifiersCVE-2026-31586CWE-416· Use After Free

CVE-2026-31586 is a Linux kernel memory-safety flaw in the mm/block cgroup writeback path, specifically in cgwb_release_workfn(). The bug occurs because cgwb_release_workfn() calls css_put(wb->blkcg_css) and subsequently accesses the same wb->blkcg_css object again through blkcg_unpin_online(). If css_put() drops the final reference, the blkcg CSS object may be freed asynchronously via css_free_rwork_fn() -> blkcg_css_free() -> kfree() before blkcg_unpin_online() dereferences it. This creates a race leading to a slab use-after-free in blkcg_unpin_online(). The issue was observed across multiple kernel versions, and a public reproducer was reported. The upstream fix reorders operations so blkcg_unpin_online() executes before css_put(), ensuring the CSS reference remains valid while the object is still being accessed.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw causes a kernel use-after-free condition in the blk-cgroup subsystem. Impact includes kernel memory corruption and kernel crashes, resulting in local denial of service. Because the freed object is later dereferenced in kernel context, the bug may also create a path to more serious outcomes such as privilege escalation or broader compromise of confidentiality, integrity, and availability, although the provided content does not include a demonstrated exploit beyond the crash/UAF condition.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied content short of applying a fixed kernel. As interim risk reduction, prioritize patching systems running vulnerable kernels, especially where blk-cgroup functionality is in use; restrict local access to trusted users since exploitation is local; and monitor for KASAN reports, crashes, or workqueue faults involving cgwb_release_workfn() or blkcg_unpin_online().

Remediation

Patch, then assume compromise.

Upgrade to a Linux kernel release that includes the upstream fix for CVE-2026-31586. The corrective change is to move blkcg_unpin_online() before css_put() in cgwb_release_workfn() so the blkcg object remains alive during access. Vendor kernel updates from SUSE and stable-kernel backports are referenced in the provided content; deploy the relevant patched kernel package for the affected distribution and reboot into the updated kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1263176 - (CVE-2026-31586) VUL-0: CVE-2026-31586: kernel: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

A Linux kernel use-after-free vulnerability in blk-cgroup handling within cgwb_release_workfn(), caused by accessing wb->blkcg_css after css_put() may free the underlying blkcg object asynchronously.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-31586

NVD

nvd.nist.gov/vuln/detail/CVE-2026-31586

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69

Patch

git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27

Patch

git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe

Patch

git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee

Patch

git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447

Patch

git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839

git.kernel.org

git.kernel.org/stable/c/1bd36e93b542d9dd020190c6607c6a3663405195

git.kernel.org

git.kernel.org/stable/c/23acef4156c260e8598397a1a2e8b3a23e919893

git.kernel.org

git.kernel.org/stable/c/740ba1ebb223f137ff088ab74d533a13f9167bd8