الثغرات ›

CVE-2026-31580

مرتفع

CWE-416 — نوع الضعف

                    نُشر: Apr 24, 2026                      ·  آخر تحديث: May 1, 2026                      ·  المصدر: NVD                

CVSS v3

7.8

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

In the Linux kernel, the following vulnerability has been resolved:

bcache: fix cached_dev.sb_bio use-after-free and crash

In our production environment, we have received multiple crash reports
regarding libceph, which have caught our attention:

```
[6888366.280350] Call Trace:
[6888366.280452] blk_update_request+0x14e/0x370
[6888366.280561] blk_mq_end_request+0x1a/0x130
[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]
[6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]
[6888366.280903] __complete_request+0x22/0x70 [libceph]
[6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]
[6888366.281164] ? inet_recvmsg+0x5b/0xd0
[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]
[6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]
[6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]
[6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]
```

After analyzing the coredump file, we found that the address of
dc->sb_bio has been freed. We know that cached_dev is only freed when it
is stopped.

Since sb_bio is a part of struct cached_dev, rather than an alloc every
time. If the device is stopped while writing to the superblock, the
released address will be accessed at endio.

This patch hopes to wait for sb_write to complete in cached_dev_free.

It should be noted that we analyzed the cause of the problem, then tell
all details to the QWEN and adopted the modifications it made.

🤖 ملخص AI

A use-after-free vulnerability in the Linux kernel's bcache subsystem allows a crash when a cached device is stopped while superblock write operations are in progress. The vulnerability occurs because the sb_bio structure is freed as part of cached_dev deallocation while still being accessed by pending I/O completion handlers. This affects systems using bcache for caching, particularly in high-performance storage environments common in Saudi data centers and cloud infrastructure.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Apr 29, 2026 08:48

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability primarily impacts Saudi organizations operating high-performance storage infrastructure: (1) ARAMCO and energy sector data centers using bcache for storage optimization; (2) Saudi Telecom (STC) and other telecom providers managing large-scale storage systems; (3) Government agencies and NCA infrastructure relying on Linux-based storage solutions; (4) Banking sector institutions (SAMA-regulated) using Linux servers for transaction processing and data storage; (5) Cloud service providers offering IaaS solutions to Saudi enterprises. System crashes in production environments can lead to service disruptions, data loss, and compliance violations under SAMA CSF and NCA ECC frameworks.

🏢 القطاعات السعودية المتأثرة

Energy (ARAMCO, oil & gas operations) Telecommunications (STC, Mobily, Zain) Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA oversight) Cloud Service Providers Data Centers and Hosting Providers Healthcare Systems

🎯 تقنيات MITRE ATT&CK

T1499 - Service Exhaustion Denial of Service (system crashes) T1561 - Disk Wipe (potential data loss from uncontrolled shutdowns) T1529 - System Shutdown/Reboot (unplanned system restarts)

⚖️ درجة المخاطر السعودية (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running Linux kernel versions affected by bcache use-after-free vulnerability

2. Prioritize production storage systems, particularly those handling critical data

3. Review bcache configuration and disable if not essential to operations



Patching Guidance:

1. Apply the latest Linux kernel patch that includes the fix for cached_dev.sb_bio use-after-free

2. Ensure the patch includes proper synchronization in cached_dev_free() to wait for sb_write completion

3. Test patches in non-production environments before deployment

4. Schedule maintenance windows for kernel updates on production systems



Compensating Controls (if immediate patching not possible):

1. Implement monitoring for bcache-related kernel panics and crashes

2. Configure automatic system restart on kernel panic to minimize downtime

3. Disable bcache on non-critical systems until patches are applied

4. Increase monitoring frequency for storage I/O operations



Detection Rules:

1. Monitor kernel logs for bcache-related use-after-free errors and NULL pointer dereferences

2. Alert on unexpected kernel panics involving blk_update_request or rbd modules

3. Track cached_dev allocation and deallocation events

4. Monitor for abnormal I/O completion handler failures

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تعمل بإصدارات نواة Linux المتأثرة بثغرة bcache

2. إعطاء الأولوية لأنظمة التخزين الإنتاجية، خاصة تلك التي تتعامل مع البيانات الحرجة

3. مراجعة إعدادات bcache وتعطيلها إذا لم تكن ضرورية للعمليات

إرشادات التصحيح:

1. تطبيق أحدث تصحيح نواة Linux يتضمن إصلاح ثغرة use-after-free في cached_dev.sb_bio

2. التأكد من أن التصحيح يتضمن المزامنة الصحيحة في cached_dev_free() للانتظار لإكمال sb_write

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

4. جدولة نوافذ الصيانة لتحديثات النواة على الأنظمة الإنتاجية

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ المراقبة لأعطال النواة المتعلقة بـ bcache والأعطال

2. تكوين إعادة تشغيل النظام التلقائية عند حدوث panic في النواة

3. تعطيل bcache على الأنظمة غير الحرجة حتى يتم تطبيق التصحيحات

4. زيادة تكرار المراقبة لعمليات I/O للتخزين

قواعد الكشف:

1. مراقبة سجلات النواة لأخطاء use-after-free المتعلقة بـ bcache والمؤشرات الفارغة

2. التنبيه على حالات panic غير المتوقعة في النواة التي تتضمن blk_update_request أو وحدات rbd

3. تتبع أحداث تخصيص وتحرير cached_dev

4. مراقبة أعطال معالجات إكمال I/O غير الطبيعية

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities in systems ECC 2024 A.12.2.1 - System hardening and patch management ECC 2024 A.12.1.2 - Change management procedures for system updates

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.IP-12 - System and information integrity monitoring DE.CM-8 - Vulnerability scans and patch management

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Change management procedures A.12.2.1 - Installation of software on operational systems

🟣 PCI DSS v4.0.1

Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning

🔗 المراجع والمصادر 6

🔗

https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 المنتجات المتأثرة 5 منتج

linux:linux_kernel

📊 CVSS Score

7.8

/ 10.0 — مرتفع

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 حقائق سريعة

الخطورة مرتفع

CVSS Score7.8

CWECWE-416

EPSS0.01%

اختراق متاح لا

تصحيح متاح ✓ نعم

تاريخ النشر 2026-04-24

المصدر nvd

المشاهدات 2

🇸🇦 درجة المخاطر السعودية

7.2

/ 10.0 — مخاطر السعودية

أولوية: HIGH

🏷️ الوسوم

patch-available CWE-416

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 التعليقات

جارٍ التحميل

CVE-2026-31580

💬 التعليقات

عرّفنا بنفسك

تسجيل الدخول مطلوب