CVE-2026-53272 PUBLISHED

erofs: fix use-after-free on sbi->sync_decompress

Assigner: Linux
Reserved: 09.06.2026 Published: 25.06.2026 Updated: 25.06.2026

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix use-after-free on sbi->sync_decompress

z_erofs_decompress_kickoff() can race with filesystem unmount, causing a use-after-free on sbi->sync_decompress.

When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff() to queue z_erofs_decompressqueue_work() asynchronously. Then, after all folios are unlocked, unmount workflow can proceed and sbi will be freed before accessing to sbi->sync_decompress.

Thread (unmount) I/O completion kworker queue_work z_erofs_decompressqueue_work (all folios are unlocked) cleanup_mnt .. erofs_kill_sb erofs_sb_free kfree(sbi) access sbi->sync_decompress // UAF!!

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 to 86ab00cf81d44b675bb23db62b88fd76c8ac8cea (excl.)
  • affected from 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 to 00bf6868df65fa95b3854996246d15759fdc7070 (excl.)
  • affected from 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 to 95caf60da33d87ed26c28993620f0d92487b0296 (excl.)
  • affected from 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 to 1aee05e814d292064bf5fa15733741040cdc48ba (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.17 is affected
  • unaffected from 0 to 5.17 (excl.)
  • unaffected from 6.12.94 to 6.12.* (incl.)
  • unaffected from 6.18.36 to 6.18.* (incl.)
  • unaffected from 7.0.13 to 7.0.* (incl.)
  • unaffected from 7.1 to * (incl.)

References