DEBIAN-CVE-2026-23224
In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4filereaditer+0xac/0x108 [ 9.269979][ T3222] vfsiocbiterread+0xac/0x198 [ 9.269993][ T3222] erofsfileiorqsubmit+0x12c/0x180 [ 9.270008][ T3222] erofsfileiosubmitbio+0x14/0x24 [ 9.270030][ T3222] zerofsrunqueue+0x834/0x8ac [ 9.270054][ T3222] zerofsreadfolio+0x120/0x220 [ 9.270083][ T3222] filemapreadfolio+0x60/0x120 [ 9.270102][ T3222] filemapfault+0xcac/0x1060 [ 9.270119][ T3222] doptemissing+0x2d8/0x1554 [ 9.270131][ T3222] handlemmfault+0x5ec/0x70c [ 9.270142][ T3222] dopagefault+0x178/0x88c [ 9.270167][ T3222] dotranslationfault+0x38/0x54 [ 9.270183][ T3222] domemabort+0x54/0xac [ 9.270208][ T3222] el0da+0x44/0x7c [ 9.270227][ T3222] el0t64synchandler+0x5c/0xf4 [ 9.270253][ T3222] el0t64sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - zerofsreadfolio wq sdiodonewq - zerofsrunqueue - erofsfileiosubmitbio - erofsfileiorqsubmit - vfsiocbiterread - ext4filereaditer - ext4dioreaditer - iomapdiorw : bio was submitted and return -EIOCBQUEUED - dioaiocompletework - diocomplete - dio->iocb->kicomplete (erofsfileiokicomplete()) - kfree(rq) : it frees iocb, iocb.kifilp can be UAF in fileaccessed(). - fileaccessed : access NULL file point Introduce a reference count in struct erofsfileiorq, and initialize it as two, both erofsfileiokicomplete() and erofsfileiorqsubmit() will decrease reference count, the last one decreasing the reference count to zero will free rq.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://security-tracker.debian.org/tracker/CVE-2026-23224
Basic Information
