Use-After-Free Vulnerability in Linux Kernel's EROFS Filesystem
CVE-2026-53272

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-53272?

A use-after-free vulnerability exists in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation, specifically in the handling of synchronization decompression methods. The vulnerability arises during the unmounting of the filesystem when I/O operations are still being processed. As z_erofs_decompress_kickoff triggers the asynchronous queuing of decompression work, there is a risk that the system will free the filesystem state before the queued work completes. This can lead to dereferencing a pointer to freed memory, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

Affected Version(s)

Linux 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 < 86ab00cf81d44b675bb23db62b88fd76c8ac8cea

Linux 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 < 00bf6868df65fa95b3854996246d15759fdc7070

Linux 40452ffca3c1a0f2994e826f9fa213b107f1a2d4 < 95caf60da33d87ed26c28993620f0d92487b0296

References

https://git.kernel.org/stable/c/86ab00cf81d44b675bb23db62...

https://git.kernel.org/stable/c/00bf6868df65fa95b38549962...

https://git.kernel.org/stable/c/95caf60da33d87ed26c289936...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53272 Data

JSON