1. Home
  2. Vulnerabilities
  3. CVE-2026-31580
7.8
HIGH CVSS 3.1
CVE-2026-31580
bcache: fix cached_dev.sb_bio use-after-free and crash
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.

Details
INFO

Published Date :

April 24, 2026, 3:16 p.m.

Last Modified :

June 1, 2026, 5:16 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-31580 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
Solution
Address a use-after-free vulnerability in Linux kernel's bcache component by ensuring superblock write completion.
  • Apply the Linux kernel patch for bcache use-after-free.
  • Ensure all systems are updated with the fix.
  • Monitor for stability after applying updates.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-31580.

URL Resource
https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576 Patch
https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9 Patch
https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1 Patch
https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27 Patch
https://git.kernel.org/stable/c/81f44ed8c3f54abb7561ece774ea4cca5070b2f2
https://git.kernel.org/stable/c/9467d360be70e6ee55b0c1cd2a1f1424f57b5b85
https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753 Patch
https://git.kernel.org/stable/c/f50e7c325ab1207fe941555bcff659f6d7050572
https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128 Patch
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-31580 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-31580 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-31580 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-31580 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 01, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/81f44ed8c3f54abb7561ece774ea4cca5070b2f2
    Added Reference https://git.kernel.org/stable/c/9467d360be70e6ee55b0c1cd2a1f1424f57b5b85
    Added Reference https://git.kernel.org/stable/c/f50e7c325ab1207fe941555bcff659f6d7050572
  • Initial Analysis by [email protected]

    Apr. 27, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-416
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.24 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 7.0 up to (excluding) 7.0.1 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 6.6.136 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12 up to (excluding) 6.12.83
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128 Types: Patch
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 27, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 27, 2026

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 24, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.
    Added Reference https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576
    Added Reference https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9
    Added Reference https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27
    Added Reference https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 7.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact