Bug 2432379 (CVE-2026-22995) - CVE-2026-22995 kernel: ublk: fix use-after-free in ublk_partition_scan_work
Summary: CVE-2026-22995 kernel: ublk: fix use-after-free in ublk_partition_scan_work
Keywords:
Status: NEW
Alias: CVE-2026-22995
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-23 16:01 UTC by OSIDB Bzimport
Modified: 2026-01-23 20:25 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-23 16:01:48 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ublk: fix use-after-free in ublk_partition_scan_work

A race condition exists between the async partition scan work and device
teardown that can lead to a use-after-free of ub->ub_disk:

1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()
2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:
   - del_gendisk(ub->ub_disk)
   - ublk_detach_disk() sets ub->ub_disk = NULL
   - put_disk() which may free the disk
3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk
   leading to UAF

Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold
a reference to the disk during the partition scan. The spinlock in
ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker
either gets a valid reference or sees NULL and exits early.

Also change flush_work() to cancel_work_sync() to avoid running the
partition scan work unnecessarily when the disk is already detached.
Comment 1 Keith Grant 2026-01-23 20:21:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22995-7465@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.