Description

In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.

INFO

Published Date :

2026-01-23T15:24:15.684Z

Last Modified :

2026-02-09T08:36:46.675Z

Source :

Linux
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22995 vulnerability.

Vendors Products
Linux
  • Linux Kernel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22995.

URL Resource
https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85 cve-icon cve-icon
https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22995-7465@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-22995 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-22995 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact