{"id":"CVE-2026-53129","summary":"fs/mbcache: cancel shrink work before destroying the cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mbcache: cancel shrink work before destroying the cache\n\nmb_cache_destroy() calls shrinker_free() and then frees all cache\nentries and the cache itself, but it does not cancel the pending\nc_shrink_work work item first.\n\nIf mb_cache_entry_create() schedules c_shrink_work via schedule_work()\nand the work item is still pending or running when mb_cache_destroy()\nruns, mb_cache_shrink_worker() will access the cache after its memory\nhas been freed, causing a use-after-free.\n\nThis is only reachable by a privileged user (root or CAP_SYS_ADMIN)\nwho can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.\n\nCancel the work item with cancel_work_sync() before calling\nshrinker_free(), ensuring the worker has finished and will not be\nrescheduled before the cache is torn down.","modified":"2026-06-25T04:05:21.234632407Z","published":"2026-06-24T16:30:56.562Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53129.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0e4eff315d799f5842b95872199b0f0fb8ef5f51"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a88d39a74a208e197c03bffaa2df34de732af19f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d227786ab1119669df4dc333a61510c52047cce4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53129.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53129"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c2f3140fe2eceb3a6c1615b2648b9471544881c6"},{"fixed":"a88d39a74a208e197c03bffaa2df34de732af19f"},{"fixed":"0e4eff315d799f5842b95872199b0f0fb8ef5f51"},{"fixed":"b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c"},{"fixed":"d227786ab1119669df4dc333a61510c52047cce4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53129.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.6.0"},{"fixed":"6.12.91"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53129.json"}}],"schema_version":"1.7.5"}