CVE-2026-22995

Name of the Vulnerable Software and Affected Versions Linux Kernel (affected versions not specified)

Description A race condition can lead to a use-after-free issue within the ublk subsystem. Specifically, the vulnerability occurs between the asynchronous partition scan work and device teardown, potentially dereferencing a freed disk object (ub->ub disk). This happens when the partition scan work worker attempts to access ub->ub disk after it has been set to NULL or freed during device teardown. The issue arises from a lack of proper synchronization between the partition scan work and the device detachment process. The fix involves using ublk get disk() and ublk put disk() to maintain a reference to the disk within the worker, ensuring it either obtains a valid reference or exits early if the disk is no longer available. Additionally, flush work() has been changed to cancel work sync() to prevent unnecessary execution of the partition scan work when the disk is detached.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.