CVE-2026-31453 | xfs: avoid dereferencing log items after push callbacks

In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.

Published: 2026-04-22 Last update: 2026-05-06 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2026-31453

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2026-31453 is rated Low Risk (32.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.13%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-31453

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.13%	+0.10%
2	2026-04-23	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-31453

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Weakness enumeration for CVE-2026-31453

CWE-476 MITRE ↗

GitHub Security Advisory for CVE-2026-31453

GHSA-h88h-485v-q9qv · Severity: high — In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log...

OS Trackers for CVE-2026-31453

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-31453 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5, open 1.	https://security-tracker.debian.org/tracker/CVE-2026-31453
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-31453
`suse`	medium	CVE-2026-31453 severity moderate: SUSE including 16 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 58 product×package rows across 12 product lines (SUSE Linux Enterprise Live Patching 12 SP5, SUSE Linux Enterprise Micro 5.0, … (12 product lines)): Known Not Affected 58.	https://www.suse.com/security/cve/CVE-2026-31453/
`ubuntu`	medium	CVE-2026-31453 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1048, ignored 169, needed 88, released 83, not-affected 57, needs-triage 4.	https://ubuntu.com/security/CVE-2026-31453

Affected software / configurations for CVE-2026-31453

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.9, < 6.1.168	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.131	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.80	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.21	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.11	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

References for CVE-2026-31453

URL	Tags
https://git.kernel.org/stable/c/451c6329d9afa45862c36fe6677eb7750db60617	Patch
https://git.kernel.org/stable/c/7121b22b0bac89394cc4c6a54b5aebc15347bdf5	Patch
https://git.kernel.org/stable/c/79ef34ec0554ec04bdbafafbc9836423734e1bd6	Patch
https://git.kernel.org/stable/c/95fb5d643cc70959baa54cd17f52f80ffc3295e7	Patch
https://git.kernel.org/stable/c/c4d603e8e58a3bf35480135ccca2b4f7238abda5	Patch
https://git.kernel.org/stable/c/c8a2ab339b88d10fc34a3318c92f07d8a467019d	Patch

cvelogic Threat Intelligence