2492376 – (CVE-2026-53129) CVE-2026-53129 kernel: fs/mbcache: cancel shrink work before destroying the cache

Bug 2492376 (CVE-2026-53129) - CVE-2026-53129 kernel: fs/mbcache: cancel shrink work before destroying the cache

Summary: CVE-2026-53129 kernel: fs/mbcache: cancel shrink work before destroying the c...

Keywords:
Status:	NEW
Alias:	CVE-2026-53129
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-24 18:08 UTC by OSIDB Bzimport
Modified:	2026-06-24 18:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:08:42 UTC

In the Linux kernel, the following vulnerability has been resolved:

fs/mbcache: cancel shrink work before destroying the cache

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.

Comment 1 Mauro Matteo Cascella 2026-06-24 18:25:53 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062418-CVE-2026-53129-781c@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.